ADVISORIES
- CVE-2011-4319 (NVD)
- OSVDB-77199
- Vendor Advisory
GEM
FRAMEWORK
SEVERITY
CVSS v2.0: 4.3 (Medium)
PATCHED VERSIONS
- ~> 3.0.11
- >= 3.1.2
DESCRIPTION
A cross-site scripting (XSS) flaw was found in the way the ‘translate’ helper method of the Ruby on Rails performed HTML escaping of interpolated user input, when interpolation in combination with HTML-safe translations were used. A remote attacker could use this flaw to execute arbitrary HTML or web script by providing a specially-crafted input to Ruby on Rails application, using the ActionPack module and its ‘translate’ helper method without explicit (application specific) sanitization of user provided input.