Lucene search

Https://gitlab.com/gitlab-org/security-products/gemnasium-dbGITLAB-8F9C47E8ADC2C83F0F9156DBECF7D5C4

HistoryOct 24, 2017 - 12:00 a.m.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

2017-10-2400:00:00

https://gitlab.com/gitlab-org/security-products/gemnasium-db

gitlab.com

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.004 Low

EPSS

Percentile

72.1%

JSON

The cross-site scripting (XSS) prevention feature in Ruby on Rails 2.x before 2.3.12, 3.0.x before 3.0.8, and 3.1.x before 3.1.0.rc2 does not properly handle mutation of safe buffers, which makes it easier for remote attackers to conduct XSS attacks via crafted strings to an application that uses a problematic string method, as demonstrated by the sub method.

Affected configurations

Vulners

Node

gemactionpackRange2.0.0≥

gemactionpackRange<2.3.11

gemactionpackRange3.0.0≥

gemactionpackRange<3.0.7

CPENameOperatorVersion
gem/actionpackge2.0.0
gem/actionpacklt2.3.11
gem/actionpackge3.0.0
gem/actionpacklt3.0.7

Name	Operator	Version
gem/actionpack	ge	2.0.0
gem/actionpack	lt	2.3.11
gem/actionpack	ge	3.0.0
gem/actionpack	lt	3.0.7

References

groups.google.com/group/rubyonrails-security/msg/663b600d4471e0d4?dmode=source&output=gplain

lists.fedoraproject.org/pipermail/package-announce/2011-July/062514.html

lists.fedoraproject.org/pipermail/package-announce/2011-June/062090.html

openwall.com/lists/oss-security/2011/06/09/2

openwall.com/lists/oss-security/2011/06/13/9

weblog.rubyonrails.org/2011/6/8/potential-xss-vulnerability-in-ruby-on-rails-applications

gist.github.com/NZKoz/b2ceb626fc2bcdfe497f

github.com/advisories/GHSA-v9v4-7jp6-8c73

github.com/rails/rails/commit/53a2c0baf2b128dd4808eca313256f6f4bb8c4cd

github.com/rails/rails/commit/ed3796434af6069ced6a641293cf88eef3b284da

github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2011-2197.yml

nvd.nist.gov/vuln/detail/CVE-2011-2197

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.004 Low

EPSS

Percentile

72.1%

JSON

Related for GITLAB-8F9C47E8ADC2C83F0F9156DBECF7D5C4