Rick Olson

**Name of the Vulnerable Software and Affected Versions** Ruby on Rails versions 2.3.11 and earlier Ruby on Rails versions 3.0.4 and earlier **Description** The issue allows remote attackers to inject arbitrary web script or HTML via a crafted (1) name or (2) email value in the `mail to` helper when javascript encoding is used. This is a cross-site scripting (XSS) issue. **Recommendations** For Ruby on Rails versions 2.3.11 and earlier, update to version 2.3.11 or later. For Ruby on Rails versions 3.0.4 and earlier, update to version 3.0.4 or later. As a temporary workaround, consider disabling the `mail to` helper function until a patch is available. Restrict input for the `name` and `email` values in the `mail to` helper to minimize the risk of exploitation.