Lucene search

[email protected]CVE-2009-4214

HistoryDec 07, 2009 - 5:30 p.m.

CVE-2009-4214

2009-12-0717:30:00

CWE-79

[email protected]

web.nvd.nist.gov

cve

2009

4214

cross-site scripting

xss

vulnerability

ruby on rails

html::tokenizer

actionpack

html scanner

remote attackers

web script

html

ascii characters

nvd

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

7.8 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

70.7%

JSON

Cross-site scripting (XSS) vulnerability in the strip_tags function in Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote attackers to inject arbitrary web script or HTML via vectors involving non-printing ASCII characters, related to HTML::Tokenizer and actionpack/lib/action_controller/vendor/html-scanner/html/node.rb.

Affected configurations

NVD

Node

rubyonrailsrailsMatch2.3.2

rubyonrailsrailsMatch2.3.3

rubyonrailsrailsMatch2.3.4

Node

rubyonrailsrailsMatch0.9.1

rubyonrailsrailsMatch0.9.2

rubyonrailsrailsMatch0.9.3

rubyonrailsrailsMatch0.9.4

rubyonrailsrailsMatch0.9.4.1

rubyonrailsrailsMatch0.10.0

rubyonrailsrailsMatch0.10.1

rubyonrailsrailsMatch0.11.0

rubyonrailsrailsMatch0.11.1

rubyonrailsrailsMatch0.12.0

rubyonrailsrailsMatch0.12.1

rubyonrailsrailsMatch0.13.0

rubyonrailsrailsMatch0.13.1

rubyonrailsrailsMatch0.14.1

rubyonrailsrailsMatch0.14.2

rubyonrailsrailsMatch0.14.3

rubyonrailsrailsMatch0.14.4

rubyonrailsrailsMatch1.0.0

rubyonrailsrailsMatch1.1.0

rubyonrailsrailsMatch1.1.1

rubyonrailsrailsMatch1.1.2

rubyonrailsrailsMatch1.1.3

rubyonrailsrailsMatch1.1.4

rubyonrailsrailsMatch1.1.5

rubyonrailsrailsMatch1.1.6

rubyonrailsrailsMatch1.2.0

rubyonrailsrailsMatch1.2.1

rubyonrailsrailsMatch1.2.2

rubyonrailsrailsMatch1.2.3

rubyonrailsrailsMatch1.2.4

rubyonrailsrailsMatch1.2.5

rubyonrailsrailsMatch1.2.6

rubyonrailsrailsMatch1.9.5

rubyonrailsrailsMatch2.0.0

rubyonrailsrailsMatch2.0.0rc1

rubyonrailsrailsMatch2.0.0rc2

rubyonrailsrailsMatch2.0.1

rubyonrailsrailsMatch2.0.2

rubyonrailsrailsMatch2.0.4

rubyonrailsrailsMatch2.1.0

rubyonrailsrailsMatch2.1.1

rubyonrailsruby_on_railsRange≤2.1.2

rubyonrailsruby_on_railsMatch0.5.0

rubyonrailsruby_on_railsMatch0.5.5

rubyonrailsruby_on_railsMatch0.5.6

rubyonrailsruby_on_railsMatch0.5.7

rubyonrailsruby_on_railsMatch0.6.0

rubyonrailsruby_on_railsMatch0.6.5

rubyonrailsruby_on_railsMatch0.7.0

rubyonrailsruby_on_railsMatch0.8.0

rubyonrailsruby_on_railsMatch0.8.5

rubyonrailsruby_on_railsMatch0.9.0

CPENameOperatorVersion
rubyonrails:railsrubyonrails railseq2.3.2
rubyonrails:railsrubyonrails railseq2.3.3
rubyonrails:railsrubyonrails railseq2.3.4

CPE	Name	Operator	Version
rubyonrails:rails	rubyonrails rails	eq	2.3.2
rubyonrails:rails	rubyonrails rails	eq	2.3.3
rubyonrails:rails	rubyonrails rails	eq	2.3.4

References

github.com/rails/rails/commit/bfe032858077bb2946abe25e95e485ba6da86bd5

groups.google.com/group/rubyonrails-security/browse_thread/thread/4d4f71f2aef4c0ab?pli=1

lists.apple.com/archives/security-announce/2010//Mar/msg00001.html

lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html

secunia.com/advisories/37446

secunia.com/advisories/38915

support.apple.com/kb/HT4077

weblog.rubyonrails.org/2009/11/30/ruby-on-rails-2-3-5-released

www.debian.org/security/2011/dsa-2260

www.debian.org/security/2011/dsa-2301

www.openwall.com/lists/oss-security/2009/11/27/2

www.openwall.com/lists/oss-security/2009/12/08/3

www.securityfocus.com/bid/37142

www.securitytracker.com/id?1023245

www.vupen.com/english/advisories/2009/3352

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

7.8 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

70.7%

JSON

Related for CVE-2009-4214

nessus12 openvas17 fedora3 debiancve1 github1 ubuntucve1 nvd2 cvelist1 osv4 prion1 cve1 debian3 securityvulns2 gentoo1 threatpost1