RubySec

Providing security resources for the Ruby community

CVE-2012-1098 (activesupport): CVE-2012-1098 rubygem-activesupport: XSS in SafeBuffer#[] (unescaped safe buffers can be marked as safe)

CVE-2012-1098 rubygem-activesupport: XSS in SafeBuffer#[] (unescaped safe buffers can be marked as safe)

Published: March 01, 2012

SECURITY IDENTIFIERS

GEM

activesupport

FRAMEWORK

Ruby on Rails

SEVERITY

CVSS v2.0: 4.3 (Medium)

UNAFFECTED VERSIONS

< 3.0.0

PATCHED VERSIONS

~> 3.0.12 ~> 3.1.4 >= 3.2.2

DESCRIPTION

Cross-site scripting (XSS) vulnerability in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving a SafeBuffer object that is manipulated through certain methods.

Contact us @rubysec or open an issue on our GitHub repository.

Recent Advisories