RubySec

Providing security resources for the Ruby community

CVE-2012-1098 (activesupport): Ruby on Rails SafeBuffer Object [] Direct Manipulation XSS

ADVISORIES

GEM

activesupport

FRAMEWORK

rails

SEVERITY

CVSS v2: 4.3

UNAFFECTED VERSIONS

  • < 3.0.0

PATCHED VERSIONS

  • ~> 3.0.12
  • ~> 3.1.4
  • >= 3.2.2

DESCRIPTION

Ruby on Rails contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because athe application does not validate direct manipulations of SafeBuffer objects via ‘[]’ and other methods. This may allow a user to create a specially crafted request that would execute arbitrary script code in a user’s browser within the trust relationship between their browser and the server.