RubySec

Providing security resources for the Ruby community

CVE-2012-3464 (activesupport): Ruby on Rails HTML Escaping Code XSS

ADVISORIES

GEM

activesupport

FRAMEWORK

rails

SEVERITY

CVSS v2: 4.3

PATCHED VERSIONS

  • ~> 3.0.17
  • ~> 3.1.8
  • >= 3.2.8

DESCRIPTION

Ruby on Rails contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the HTML escaping code functionality does not properly escape a single quote character. This may allow a user to create a specially crafted request that would execute arbitrary script code in a user’s browser within the trust relationship between their browser and the server.