ADVISORIES

• CVE-2009-3009 (NVD)
• GHSA-8qrh-h9m2-5fvf
• OSVDB-57666
• Vendor Advisory

GEM

activesupport

FRAMEWORK

Ruby on Rails

UNAFFECTED VERSIONS

• < 2.0.0

PATCHED VERSIONS

• ~> 2.2.3
• >= 2.3.4

DESCRIPTION

Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings into a form helper.

9/4/2009 url mentions patches for 2.0, 2.1, 2.2, and 2.3 series.

RELATED

• https://nvd.nist.gov/vuln/detail/CVE-2009-3009
• http://weblog.rubyonrails.org/2009/9/4/xss-vulnerability-in-ruby-on-rails
• https://groups.google.com/g/rubyonrails-security/c/SKs_SiwWGQ8/m/tNHhlHfNV38J
• http://www.osvdb.org/57666
• https://exchange.xforce.ibmcloud.com/vulnerabilities/53036
• https://github.com/advisories/GHSA-8qrh-h9m2-5fvf
• http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545063
• https://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
• http://support.apple.com/kb/HT4077
• https://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html
• http://www.debian.org/security/2009/dsa-1887