RubySec

Providing security resources for the Ruby community

CVE-2012-1098 (activesupport): CVE-2012-1098 rubygem-activesupport: XSS in SafeBuffer#[] (unescaped safe buffers can be marked as safe)

ADVISORIES

GEM

activesupport

FRAMEWORK

rails

SEVERITY

CVSS v2: 4.3 (Medium)

UNAFFECTED VERSIONS

  • < 3.0.0

PATCHED VERSIONS

  • ~> 3.0.12
  • ~> 3.1.4
  • >= 3.2.2

DESCRIPTION

Cross-site scripting (XSS) vulnerability in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving a SafeBuffer object that is manipulated through certain methods.