CVE-2011-4319
published 2011-11-28CVE-2011-4319: Cross-site scripting (XSS) vulnerability in the i18n translations helper method in Ruby on Rails 3.0.x before 3.0.11 and 3.1.x before 3.1.2, and the rails_xss…
PriorityP419medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EPSS
1.64%
73.2th percentile
Cross-site scripting (XSS) vulnerability in the i18n translations helper method in Ruby on Rails 3.0.x before 3.0.11 and 3.1.x before 3.1.2, and the rails_xss plugin in Ruby on Rails 2.3.x, allows remote attackers to inject arbitrary web script or HTML via vectors related to a translations string whose name ends with an "html" substring.
Affected
24 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| actionpack_project | actionpack | >= 3.0.0 < 3.0.11 | 3.0.11 |
| actionpack_project | actionpack | >= 3.1.0 < 3.1.2 | 3.1.2 |
| debian | rails | — | — |
| rubyonrails | rails | — | — |
| rubyonrails | rails | — | — |
| rubyonrails | rails | — | — |
| rubyonrails | rails | — | — |
| rubyonrails | rails | — | — |
| rubyonrails | rails | — | — |
| rubyonrails | rails | — | — |
| rubyonrails | rails | — | — |
| rubyonrails | rails | — | — |
| rubyonrails | rails | — | — |
| rubyonrails | rails | — | — |
| rubyonrails | rails | — | — |
| rubyonrails | rails | — | — |
| rubyonrails | rails | — | — |
| rubyonrails | rails | — | — |
| rubyonrails | rails | — | — |
| rubyonrails | rails | — | — |
| rubyonrails | rails | — | — |
| rubyonrails | rails | — | — |
| rubyonrails | rails | — | — |
| rubyonrails | ruby_on_rails | — | — |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vendor_debian4.3LOW
vendor_redhat4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Cross-site Scripting vulnerability in i18n translations helper method
osv·2017-10-24
CVE-2011-4319 [MEDIUM] Cross-site Scripting vulnerability in i18n translations helper method
Cross-site Scripting vulnerability in i18n translations helper method
Cross-site scripting (XSS) vulnerability in the i18n translations helper method in Ruby on Rails 3.0.x before 3.0.11 and 3.1.x before 3.1.2, and the rails_xss plugin in Ruby on Rails 2.3.x, allows remote attackers to inject arbitrary web script or HTML via vectors related to a translations string whose name ends with an "html" substring.
GHSA
Cross-site Scripting vulnerability in i18n translations helper method
ghsa·2017-10-24
CVE-2011-4319 [MEDIUM] CWE-79 Cross-site Scripting vulnerability in i18n translations helper method
Cross-site Scripting vulnerability in i18n translations helper method
Cross-site scripting (XSS) vulnerability in the i18n translations helper method in Ruby on Rails 3.0.x before 3.0.11 and 3.1.x before 3.1.2, and the rails_xss plugin in Ruby on Rails 2.3.x, allows remote attackers to inject arbitrary web script or HTML via vectors related to a translations string whose name ends with an "html" substring.
Red Hat
rubygem-actionpack: XSS in the 'translate' helper method
vendor_redhat·2011-11-18·CVSS 4.3
CVE-2011-4319 [MEDIUM] CWE-79 rubygem-actionpack: XSS in the 'translate' helper method
rubygem-actionpack: XSS in the 'translate' helper method
Cross-site scripting (XSS) vulnerability in the i18n translations helper method in Ruby on Rails 3.0.x before 3.0.11 and 3.1.x before 3.1.2, and the rails_xss plugin in Ruby on Rails 2.3.x, allows remote attackers to inject arbitrary web script or HTML via vectors related to a translations string whose name ends with an "html" substring.
Package: rubygem-actionpack (Red Hat Subscription Asset Manager) - Affected
Debian
CVE-2011-4319: rails - Cross-site scripting (XSS) vulnerability in the i18n translations helper method ...
vendor_debian·2011·CVSS 4.3
CVE-2011-4319 [MEDIUM] CVE-2011-4319: rails - Cross-site scripting (XSS) vulnerability in the i18n translations helper method ...
Cross-site scripting (XSS) vulnerability in the i18n translations helper method in Ruby on Rails 3.0.x before 3.0.11 and 3.1.x before 3.1.2, and the rails_xss plugin in Ruby on Rails 2.3.x, allows remote attackers to inject arbitrary web script or HTML via vectors related to a translations string whose name ends with an "html" substring.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
No detection rules found.
No public exploits indexed.
http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b61d70fb73c7cc5?pli=1http://groups.google.com/group/rubyonrails-security/msg/c65c24fbc4b6dd82?dmode=source&output=gplainhttp://openwall.com/lists/oss-security/2011/11/18/8http://osvdb.org/77199http://weblog.rubyonrails.org/2011/11/18/rails-3-0-11-has-been-releasedhttp://weblog.rubyonrails.org/2011/11/18/rails-3-1-2-has-been-releasedhttp://www.securityfocus.com/bid/50722http://www.securitytracker.com/id?1026342https://exchange.xforce.ibmcloud.com/vulnerabilities/71364http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b61d70fb73c7cc5?pli=1http://groups.google.com/group/rubyonrails-security/msg/c65c24fbc4b6dd82?dmode=source&output=gplainhttp://openwall.com/lists/oss-security/2011/11/18/8http://osvdb.org/77199http://weblog.rubyonrails.org/2011/11/18/rails-3-0-11-has-been-releasedhttp://weblog.rubyonrails.org/2011/11/18/rails-3-1-2-has-been-releasedhttp://www.securityfocus.com/bid/50722http://www.securitytracker.com/id?1026342https://exchange.xforce.ibmcloud.com/vulnerabilities/71364
2011-11-28
Published