CVE-2009-3009 — Cross-site Scripting in Rails

CWE-79 — Cross-site Scripting8 documents7 sources

Severity

4.3MEDIUMNVD

EPSS

1.6%

top 18.06%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rubyonrails Rails Actionpack Project Actionpack

Timeline

PublishedSep 8

Latest updateOct 24

Description

Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings into a form helper.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages3 packages

▶Debianrubyonrails/rails< 2.2.3-1+3

▶NVDrubyonrails/rails12 versions+11

▶RubyGemsactionpack_project/actionpack2.0.0 — 2.2.3+1

Patches

Patch: groups.google.com ↗Patch: securitytracker.com ↗Patch: www.vupen.com ↗

🔴Vulnerability Details

GHSA

Cross site scripting that affects rails↗2017-10-24

▶

OSV

Cross site scripting that affects rails↗2017-10-24

▶

CVEList

CVE-2009-3009: Cross-site scripting (XSS) vulnerability in Ruby on Rails 2↗2009-09-08

▶

OSV

CVE-2009-3009: Cross-site scripting (XSS) vulnerability in Ruby on Rails 2↗2009-09-08

▶

📋Vendor Advisories

Red Hat

ruby-activesupport: XSS vulnerability↗2009-09-03

▶

Debian

CVE-2009-3009: rails - Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and ...↗2009

▶

💬Community

Bugzilla

CVE-2009-3009 ruby-activesupport: XSS vulnerability↗2009-09-02

▶