Overview

CVE-2016-6316 - Rails (Action View) XSS Vulnerability

  • Posted November 2, 2016

  • Assessed Risk Level: Medium

On August 8, 2016, Ruby on Rails announced a cross site scripting (XSS) vulnerability in Action View.

Previous versions of Puppet Enterprise shipped with a vulnerable version of Rails. Puppet Enterprise 3.8.7 contains an updated version of Rails that patches the vulnerability..

For more information about these vulnerabilities, refer to the [Ruby on Rails security announcement] (http://weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-been-released/).

Status:

Affected Software Versions:

  • Puppet Enterprise versions prior to 3.8.7

Resolved in:

  • Puppet Enterprise 3.8.7