Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2007-3227 — Cross-site Scripting in Rails

CWE-79 — Cross-site Scripting7 documents6 sources

Severity

4.3MEDIUMNVD

EPSS

13.6%

top 5.74%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Rubyonrails Rails

Timeline

PublishedJun 14

Latest updateOct 24

Description

Cross-site scripting (XSS) vulnerability in the to_json (ActiveRecord::Base#to_json) function in Ruby on Rails before edge 9606 allows remote attackers to inject arbitrary web script via the input values.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages3 packages

▶RubyGemsrubyonrails/rails< 1.2.5

▶Debianrubyonrails/rails< 1.2.5-1+3

▶NVDrubyonrails/rails1.1.5

🔴Vulnerability Details

GHSA

Moderate severity vulnerability that affects rails↗2017-10-24

▶

OSV

Moderate severity vulnerability that affects rails↗2017-10-24

▶

OSV

CVE-2007-3227: Cross-site scripting (XSS) vulnerability in the to_json (ActiveRecord::Base#to_json) function in Ruby on Rails before edge 9606 allows remote attacker↗2007-06-14

▶

CVEList

CVE-2007-3227: Cross-site scripting (XSS) vulnerability in the to_json (ActiveRecord::Base#to_json) function in Ruby on Rails before edge 9606 allows remote attacker↗2007-06-14

▶

💥Exploits & PoCs

Exploit-DB

Ruby on Rails 1.2.3 To_JSON - Script Injection↗2007-05-25

▶

📋Vendor Advisories

Debian

CVE-2007-3227: rails - Cross-site scripting (XSS) vulnerability in the to_json (ActiveRecord::Base#to_j...↗2007

▶