CVE-2020-5267

Name of the Vulnerable Software and Affected Versions ActionView versions prior to 6.0.2.2 and 5.2.4.2

Description There is a possible cross-site scripting (XSS) vulnerability in ActionView's JavaScript literal escape helpers. Views that use the j or escape javascript methods may be susceptible to XSS attacks. The issue is related to insufficient protection measures for web page structures. Exploitation of the vulnerability may allow a remote attacker to impact data integrity.

Recommendations For versions prior to 6.0.2.2 and 5.2.4.2, update to version 6.0.2.2 or 5.2.4.2 to resolve the issue. As a temporary workaround, consider applying the provided monkey patch to the JavaScriptHelper module. Restrict the use of the j and escape javascript methods in views until the issue is resolved. For those who cannot upgrade immediately, apply the provided patches for the 5.2 and 6.0 series.