RubySec

Providing security resources for the Ruby community

CVE-2012-3463 (actionpack): Ruby on Rails select_tag Helper Method prompt Value XSS

ADVISORIES

GEM

actionpack

FRAMEWORK

rails

SEVERITY

CVSS v2: 4.3

UNAFFECTED VERSIONS

  • ~> 2.3.0

PATCHED VERSIONS

  • ~> 3.0.17
  • ~> 3.1.8
  • >= 3.2.8

DESCRIPTION

Ruby on Rails contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because input passed via the prompt value is not properly sanitized by the select_tag helper method before returning it to the user. This may allow a user to create a specially crafted request that would execute arbitrary script code in a user’s browser within the trust relationship between their browser and the server.