Lucene search

[email protected]CVE-2011-2197

HistoryJun 30, 2011 - 3:55 p.m.

CVE-2011-2197

2011-06-3015:55:01

CWE-79

[email protected]

web.nvd.nist.gov

cve

2011

2197

ruby on rails

xss prevention

remote attack

crafted strings

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

5 Medium

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

72.1%

JSON

The cross-site scripting (XSS) prevention feature in Ruby on Rails 2.x before 2.3.12, 3.0.x before 3.0.8, and 3.1.x before 3.1.0.rc2 does not properly handle mutation of safe buffers, which makes it easier for remote attackers to conduct XSS attacks via crafted strings to an application that uses a problematic string method, as demonstrated by the sub method.

Affected configurations

NVD

Node

rubyonrailsrailsMatch2.0.0

rubyonrailsrailsMatch2.0.0rc1

rubyonrailsrailsMatch2.0.0rc2

rubyonrailsrailsMatch2.0.1

rubyonrailsrailsMatch2.0.2

rubyonrailsrailsMatch2.0.4

rubyonrailsrailsMatch2.1.0

rubyonrailsrailsMatch2.1.1

rubyonrailsrailsMatch2.1.2

rubyonrailsrailsMatch2.2.0

rubyonrailsrailsMatch2.2.1

rubyonrailsrailsMatch2.2.2

rubyonrailsrailsMatch2.3.2

rubyonrailsrailsMatch2.3.3

rubyonrailsrailsMatch2.3.4

rubyonrailsrailsMatch2.3.9

rubyonrailsrailsMatch2.3.10

rubyonrailsrailsMatch2.3.11

Node

rubyonrailsrailsMatch3.0.0

rubyonrailsrailsMatch3.0.0beta

rubyonrailsrailsMatch3.0.0beta2

rubyonrailsrailsMatch3.0.0beta3

rubyonrailsrailsMatch3.0.0beta4

rubyonrailsrailsMatch3.0.0rc

rubyonrailsrailsMatch3.0.0rc2

rubyonrailsrailsMatch3.0.1

rubyonrailsrailsMatch3.0.1pre

rubyonrailsrailsMatch3.0.2

rubyonrailsrailsMatch3.0.2pre

rubyonrailsrailsMatch3.0.3

rubyonrailsrailsMatch3.0.4rc1

rubyonrailsrailsMatch3.0.5

rubyonrailsrailsMatch3.0.5rc1

rubyonrailsrailsMatch3.0.6

rubyonrailsrailsMatch3.0.6rc1

rubyonrailsrailsMatch3.0.6rc2

rubyonrailsrailsMatch3.0.7

rubyonrailsrailsMatch3.0.7rc1

rubyonrailsrailsMatch3.0.7rc2

rubyonrailsrailsMatch3.0.8rc1

rubyonrailsrailsMatch3.0.8rc2

rubyonrailsrailsMatch3.0.8rc3

rubyonrailsrailsMatch3.0.8rc4

rubyonrailsruby_on_railsMatch3.0.4

Node

rubyonrailsrailsMatch3.1.0

rubyonrailsrailsMatch3.1.0beta1

rubyonrailsrailsMatch3.1.0rc1

CPENameOperatorVersion
rubyonrails:railsrubyonrails railseq2.0.0
rubyonrails:railsrubyonrails railseq2.0.1
rubyonrails:railsrubyonrails railseq2.0.2
rubyonrails:railsrubyonrails railseq2.0.4
rubyonrails:railsrubyonrails railseq2.1.0
rubyonrails:railsrubyonrails railseq2.1.1
rubyonrails:railsrubyonrails railseq2.1.2
rubyonrails:railsrubyonrails railseq2.2.0
rubyonrails:railsrubyonrails railseq2.2.1
rubyonrails:railsrubyonrails railseq2.2.2

CPE	Name	Operator	Version
rubyonrails:rails	rubyonrails rails	eq	2.0.0
rubyonrails:rails	rubyonrails rails	eq	2.0.1
rubyonrails:rails	rubyonrails rails	eq	2.0.2
rubyonrails:rails	rubyonrails rails	eq	2.0.4
rubyonrails:rails	rubyonrails rails	eq	2.1.0
rubyonrails:rails	rubyonrails rails	eq	2.1.1
rubyonrails:rails	rubyonrails rails	eq	2.1.2
rubyonrails:rails	rubyonrails rails	eq	2.2.0
rubyonrails:rails	rubyonrails rails	eq	2.2.1
rubyonrails:rails	rubyonrails rails	eq	2.2.2