CVE-2014-4920

描述

The twitter-bootstrap-rails Gem for Rails contains a flaw that enables a reflected cross-site scripting (XSS) attack. This flaw exists because the bootstrap_flash helper method does not validate input when handling flash messages before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.

受影響套件(1)

• RubyGems/twitter-bootstrap-railsfrom 0, < 3.2.0

參考連結(2)

• WEBhttps://github.com/rubysec/ruby-advisory-db/blob/master/gems/twitter-bootstrap-rails/CVE-2014-4920.yml
• WEBhttps://nvisium.com/blog/2014/03/28/reflected-xss-vulnerability-in-twitter