RubySec

Providing security resources for the Ruby community

CVE-2011-4319 (actionpack): XSS vulnerability in the translate helper method in Ruby on Rails

ADVISORIES

GEM

actionpack

FRAMEWORK

Ruby on Rails

SEVERITY

CVSS v2.0: 4.3 (Medium)

PATCHED VERSIONS

  • ~> 3.0.11
  • >= 3.1.2

DESCRIPTION

A cross-site scripting (XSS) flaw was found in the way the ‘translate’ helper method of the Ruby on Rails performed HTML escaping of interpolated user input, when interpolation in combination with HTML-safe translations were used. A remote attacker could use this flaw to execute arbitrary HTML or web script by providing a specially-crafted input to Ruby on Rails application, using the ActionPack module and its ‘translate’ helper method without explicit (application specific) sanitization of user provided input.