PT-2011-2349 · Ruby+1 · Ruby On Rails+1
Brendan Coles
+1
·
Publicado
2011-02-14
·
Atualizado
2019-08-08
·
CVE-2011-0446
CVSS v2.0
4.3
Média
| Vetor | AV:N/AC:M/Au:N/C:N/I:P/A:N |
Name of the Vulnerable Software and Affected Versions
Ruby on Rails versions 2.3.11 and earlier
Ruby on Rails versions 3.0.4 and earlier
Description
The issue allows remote attackers to inject arbitrary web script or HTML via a crafted (1) name or (2) email value in the
mail to helper when javascript encoding is used. This is a cross-site scripting (XSS) issue.Recommendations
For Ruby on Rails versions 2.3.11 and earlier, update to version 2.3.11 or later.
For Ruby on Rails versions 3.0.4 and earlier, update to version 3.0.4 or later.
As a temporary workaround, consider disabling the
mail to helper function until a patch is available.
Restrict input for the name and email values in the mail to helper to minimize the risk of exploitation.Exploit
Correção
XSS
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Ruby On Rails
Suse