CVE-2009-3009
published 2009-09-08CVE-2009-3009: Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or…
PriorityP419medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EPSS
3.02%
85.7th percentile
Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings into a form helper.
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| actionpack_project | actionpack | >= 2.0.0 < 2.2.3 | 2.2.3 |
| actionpack_project | actionpack | >= 2.3.0 < 2.3.4 | 2.3.4 |
| debian | rails | < rails 2.2.3-1 (bookworm) | rails 2.2.3-1 (bookworm) |
| rubyonrails | rails | — | — |
| rubyonrails | rails | — | — |
| rubyonrails | rails | — | — |
| rubyonrails | rails | — | — |
| rubyonrails | rails | — | — |
| rubyonrails | rails | — | — |
| rubyonrails | rails | — | — |
| rubyonrails | rails | — | — |
| rubyonrails | rails | — | — |
| rubyonrails | rails | — | — |
| rubyonrails | rails | — | — |
| rubyonrails | rails | — | — |
| rubyonrails | rails | >= 0 < 2.2.3-1 | 2.2.3-1 |
| rubyonrails | rails | >= 0 < 2.2.3-1 | 2.2.3-1 |
| rubyonrails | rails | >= 0 < 2.2.3-1 | 2.2.3-1 |
| rubyonrails | rails | >= 0 < 2.2.3-1 | 2.2.3-1 |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv4.3MEDIUM
vendor_debian4.3LOW
vendor_redhat4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Cross site scripting that affects rails
ghsa·2017-10-24
CVE-2009-3009 [MEDIUM] CWE-79 Cross site scripting that affects rails
Cross site scripting that affects rails
Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings into a form helper.
OSV
Cross site scripting that affects rails
osv·2017-10-24
CVE-2009-3009 [MEDIUM] Cross site scripting that affects rails
Cross site scripting that affects rails
Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings into a form helper.
OSV
CVE-2009-3009: Cross-site scripting (XSS) vulnerability in Ruby on Rails 2
osv·2009-09-08·CVSS 4.3
CVE-2009-3009 [MEDIUM] CVE-2009-3009: Cross-site scripting (XSS) vulnerability in Ruby on Rails 2
Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings into a form helper.
Red Hat
ruby-activesupport: XSS vulnerability
vendor_redhat·2009-09-03·CVSS 4.3
CVE-2009-3009 [MEDIUM] CWE-79 ruby-activesupport: XSS vulnerability
ruby-activesupport: XSS vulnerability
Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings into a form helper.
Debian
CVE-2009-3009: rails - Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and ...
vendor_debian·2009·CVSS 4.3
CVE-2009-3009 [MEDIUM] CVE-2009-3009: rails - Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and ...
Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings into a form helper.
Scope: local
bookworm: resolved (fixed in 2.2.3-1)
bullseye: resolved (fixed in 2.2.3-1)
forky: resolved (fixed in 2.2.3-1)
sid: resolved (fixed in 2.2.3-1)
trixie: resolved (fixed in 2.2.3-1)
No detection rules found.
No public exploits indexed.
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545063http://groups.google.com/group/rubyonrails-security/msg/7f57cd7794e1d1b4?dmode=sourcehttp://lists.apple.com/archives/security-announce/2010//Mar/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.htmlhttp://secunia.com/advisories/36600http://secunia.com/advisories/36717http://securitytracker.com/id?1022824http://support.apple.com/kb/HT4077http://weblog.rubyonrails.org/2009/9/4/xss-vulnerability-in-ruby-on-railshttp://www.debian.org/security/2009/dsa-1887http://www.osvdb.org/57666http://www.securityfocus.com/bid/36278http://www.vupen.com/english/advisories/2009/2544https://exchange.xforce.ibmcloud.com/vulnerabilities/53036http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545063http://groups.google.com/group/rubyonrails-security/msg/7f57cd7794e1d1b4?dmode=sourcehttp://lists.apple.com/archives/security-announce/2010//Mar/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.htmlhttp://secunia.com/advisories/36600http://secunia.com/advisories/36717http://securitytracker.com/id?1022824http://support.apple.com/kb/HT4077http://weblog.rubyonrails.org/2009/9/4/xss-vulnerability-in-ruby-on-railshttp://www.debian.org/security/2009/dsa-1887http://www.osvdb.org/57666http://www.securityfocus.com/bid/36278http://www.vupen.com/english/advisories/2009/2544https://exchange.xforce.ibmcloud.com/vulnerabilities/53036
2009-09-08
Published