RubySec

Providing security resources for the Ruby community

CVE-2009-3009 (activesupport): Moderate severity XSS vulnerability that affects rails

ADVISORIES

GEM

activesupport

FRAMEWORK

Ruby on Rails

UNAFFECTED VERSIONS

  • < 2.0.0

PATCHED VERSIONS

  • ~> 2.2.3
  • >= 2.3.4

DESCRIPTION

Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings into a form helper.

9/4/2009 url mentions patches for 2.0, 2.1, 2.2, and 2.3 series.

RELATED