Advisory Database
  • Advisories
  • Dependency Scanning
  1. gem
  2. ›
  3. ember-source
  4. ›
  5. CVE-2014-0046

CVE-2014-0046: ember-source Cross-site Scripting vulnerability

August 28, 2018 (updated August 11, 2025)

Cross-site scripting (XSS) vulnerability in the link-to helper in Ember.js 1.2.x before 1.2.2, 1.3.x before 1.3.2, and 1.4.x before 1.4.0-beta.6, when used in non-block form, allows remote attackers to inject arbitrary web script or HTML via the title attribute.

References

  • exchange.xforce.ibmcloud.com/vulnerabilities/91242
  • github.com/advisories/GHSA-4q53-fqhc-cr46
  • github.com/emberjs/ember.js
  • github.com/emberjs/ember.js/commit/45ee8df2a0efc0afe233d6b9b17045782a2e6b2d
  • github.com/emberjs/ember.js/commit/94b28b8773acf894c4d7d7fccf4411a706292436
  • github.com/emberjs/ember.js/commit/ab3199e68e1d0fc3c8f7f453cd38c51fe02af90b
  • github.com/rubysec/ruby-advisory-db/blob/master/gems/ember-source/CVE-2014-0046.yml
  • groups.google.com/forum/
  • nvd.nist.gov/vuln/detail/CVE-2014-0046

Code Behaviors & Features

Detect and mitigate CVE-2014-0046 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions starting from 1.4.0.beta.1 before 1.4.0.beta.6, all versions starting from 1.2.0 before 1.2.2, all versions starting from 1.3.0 before 1.3.2

Fixed versions

  • 1.2.2
  • 1.3.2
  • 1.4.0.beta.6

Solution

Upgrade to versions 1.2.2, 1.3.2, 1.4.0.beta.6 or above.

Impact 2.6 LOW

AV:N/AC:H/Au:N/C:N/I:P/A:N

Learn more about CVSS

Weakness

  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Source file

gem/ember-source/CVE-2014-0046.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Wed, 27 Aug 2025 12:18:45 +0000.