PT-2011-4190 · Ruby+1 · Ruby On Rails+1
Sascha Depold
·
Published
2011-08-29
·
Updated
2019-08-08
·
CVE-2011-2931
CVSS v2.0
4.3
Medium
| Vector | AV:N/AC:M/Au:N/C:N/I:P/A:N |
Name of the Vulnerable Software and Affected Versions
Ruby on Rails versions prior to 2.3.13
Ruby on Rails versions 3.0.x prior to 3.0.10
Ruby on Rails versions 3.1.x prior to 3.1.0.rc5
Description
A cross-site scripting (XSS) issue exists in the
strip tags helper, allowing remote attackers to inject arbitrary web script or HTML via a tag with an invalid name. This can be achieved by exploiting the strip tags helper in actionpack/lib/action controller/vendor/html-scanner/html/node.rb.Recommendations
For Ruby on Rails versions prior to 2.3.13, update to version 2.3.13 or later.
For Ruby on Rails versions 3.0.x prior to 3.0.10, update to version 3.0.10 or later.
For Ruby on Rails versions 3.1.x prior to 3.1.0.rc5, update to version 3.1.0.rc5 or later.
As a temporary workaround, consider restricting the use of the
strip tags helper until a patch is available.Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ruby On Rails
Suse