ADVISORIES

• CVE-2011-0446 (NVD)
• GHSA-75w6-p6mg-vh8j
• Vendor Advisory

GEM

actionview

FRAMEWORK

Ruby on Rails

SEVERITY

CVSS v2.0: 4.3 (Medium)

PATCHED VERSIONS

• ~> 2.3.11
• >= 3.0.4

DESCRIPTION

Multiple cross-site scripting (XSS) vulnerabilities in the mail_to helper in Ruby on Rails before 2.3.11, and 3.x before 3.0.4, when javascript encoding is used, allow remote attackers to inject arbitrary web script or HTML via a crafted (1) name or (2) email value.

RELATED

• https://nvd.nist.gov/vuln/detail/CVE-2011-0446
• https://groups.google.com/g/rubyonrails-security/c/8CpI7egxX4E/m/SmtqtyOKWzYJ
• https://github.com/advisories/GHSA-75w6-p6mg-vh8j
• http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html
• http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055074.html
• http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055088.html
• http://www.debian.org/security/2011/dsa-2247
• https://web.archive.org/web/20111225083933/http://secunia.com/advisories/43274
• https://web.archive.org/web/20111225083933/http://secunia.com/advisories/43666
• https://web.archive.org/web/20201208053819/http://www.securitytracker.com/id?1025064
• https://web.archive.org/web/20210121211512/http://www.securityfocus.com/bid/46291