Lucene search

GitHub Advisory DatabaseGHSA-QV8P-V9QW-WC7G

HistoryOct 24, 2017 - 6:33 p.m.

activesupport Cross-site Scripting vulnerability

2017-10-2418:33:38

CWE-79

GitHub Advisory Database

github.com

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.002 Low

EPSS

Percentile

64.6%

JSON

Cross-site scripting (XSS) vulnerability in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving a SafeBuffer object that is manipulated through certain methods.

Affected configurations

Vulners

Node

activesupport_projectactivesupportRange<3.2.2ruby

activesupport_projectactivesupportRange<3.1.4ruby

activesupport_projectactivesupportRange<3.0.12ruby

CPENameOperatorVersion
activesupportlt3.2.2
activesupportlt3.1.4
activesupportlt3.0.12

Name	Operator	Version
activesupport	lt	3.2.2
activesupport	lt	3.1.4
activesupport	lt	3.0.12

References

groups.google.com/group/rubyonrails-security/msg/1c2e01a5e42722c9?dmode=source&output=gplain

lists.fedoraproject.org/pipermail/package-announce/2012-March/075675.html

weblog.rubyonrails.org/2012/3/1/ann-rails-3-0-12-has-been-released

www.openwall.com/lists/oss-security/2012/03/02/6

www.openwall.com/lists/oss-security/2012/03/03/1

bugzilla.redhat.com/show_bug.cgi?id=799275

github.com/advisories/GHSA-qv8p-v9qw-wc7g

nvd.nist.gov/vuln/detail/CVE-2012-1098

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.002 Low

EPSS

Percentile

64.6%

JSON

Related for GHSA-QV8P-V9QW-WC7G