CVE-2016-6316 - Rails (Action View) XSS Vulnerability

  • Posted November 2, 2016

  • Assessed Risk Level: Medium

On August 8, 2016, Ruby on Rails announced a cross site scripting (XSS) vulnerability in Action View.

Previous versions of Puppet Enterprise shipped with a vulnerable version of Rails. Puppet Enterprise 3.8.7 contains an updated version of Rails that patches the vulnerability..

For more information about these vulnerabilities, refer to the [Ruby on Rails security announcement] (


Affected Software Versions:

  • Puppet Enterprise versions prior to 3.8.7

Resolved in:

  • Puppet Enterprise 3.8.7