PT-2011-4191 · Ruby+1 · Ruby On Rails+1
Tenderlove
·
Published
2011-08-29
·
Updated
2019-08-08
·
CVE-2011-2932
CVSS v2.0
4.3
Medium
| Vector | AV:N/AC:M/Au:N/C:N/I:P/A:N |
Name of the Vulnerable Software and Affected Versions
Ruby on Rails versions 2.x through 2.3.12
Ruby on Rails versions 3.0.x through 3.0.9
Ruby on Rails versions 3.1.x through 3.1.0.rc4
Description
A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via a malformed Unicode string, related to a "UTF-8 escaping vulnerability" in the
activesupport/lib/active support/core ext/string/output safety.rb file. This issue affects Ruby on Rails, enabling attackers to execute malicious scripts on user browsers.Recommendations
For Ruby on Rails versions 2.x through 2.3.12, update to version 2.3.13 or later.
For Ruby on Rails versions 3.0.x through 3.0.9, update to version 3.0.10 or later.
For Ruby on Rails versions 3.1.x through 3.1.0.rc4, update to version 3.1.0.rc5 or later.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ruby On Rails
Suse