RubySec

Providing security resources for the Ruby community

CVE-2012-3465 (actionpack): Ruby on Rails strip_tags Helper Method XSS

ADVISORIES

GEM

actionpack

FRAMEWORK

rails

SEVERITY

CVSS v2: 4.3

PATCHED VERSIONS

  • ~> 3.0.17
  • ~> 3.1.8
  • >= 3.2.8

DESCRIPTION

Ruby on Rails contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate input passed via the ‘strip_tags’ helper method before returning it to the user. This may allow a user to create a specially crafted request that would execute arbitrary script code in a user’s browser within the trust relationship between their browser and the server.