CVE-2011-0446Cross-site Scripting in Rails Actionview

CWE-79Cross-site Scripting9 documents6 sources
Severity
4.3MEDIUMNVD
EPSS
0.7%
top 28.63%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Rubyonrails RailsActionpack Project ActionpackRails Actionview
Timeline
PublishedFeb 14
Latest updateOct 24

Description

Multiple cross-site scripting (XSS) vulnerabilities in the mail_to helper in Ruby on Rails before 2.3.11, and 3.x before 3.0.4, when javascript encoding is used, allow remote attackers to inject arbitrary web script or HTML via a crafted (1) name or (2) email value.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages4 packages

Debianrubyonrails/rails< 2.3.11-0.1+3
NVDrubyonrails/rails20 versions+19
RubyGemsrails/actionview3.0.03.0.4+1
RubyGemsactionpack_project/actionpack3.0.03.0.4+1

Patches

Patch: groups.google.comPatch: groups.google.com

🔴Vulnerability Details

4
GHSA
Rails actionpack gem vulnerable to Cross-site Scripting2017-10-24
OSV
Rails actionpack gem vulnerable to Cross-site Scripting2017-10-24
OSV
CVE-2011-0446: Multiple cross-site scripting (XSS) vulnerabilities in the mail_to helper in Ruby on Rails before 22011-02-14
CVEList
CVE-2011-0446: Multiple cross-site scripting (XSS) vulnerabilities in the mail_to helper in Ruby on Rails before 22011-02-14

📋Vendor Advisories

1
Debian
CVE-2011-0446: rails - Multiple cross-site scripting (XSS) vulnerabilities in the mail_to helper in Rub...2011

💬Community

3
Bugzilla
CVE-2011-0446 rubygem-actionpack: Multiple XSS flaws via crafted name or email value in the mail_to_helper2011-02-15
Bugzilla
CVE-2011-0446 CVE-2011-0447 rubygem-actionpack various flaws [epel-5]2011-02-15
Bugzilla
CVE-2011-0446 CVE-2011-0447 rubygem-actionpack: various flaws [fedora-all]2011-02-15
CVE-2011-0446 — Cross-site Scripting in Rails | cvebase