CVE-2012-1098Cross-site Scripting in Rails

CWE-79Cross-site Scripting9 documents7 sources
Severity
4.3MEDIUMNVD
EPSS
0.4%
top 40.65%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Rubyonrails RailsRubyonrails Ruby ON Rails
Timeline
PublishedMar 13
Latest updateOct 24

Description

Cross-site scripting (XSS) vulnerability in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving a SafeBuffer object that is manipulated through certain methods.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages3 packages

Debianrubyonrails/rails< 2.3.14+3
NVDrubyonrails/rails21 versions+20

🔴Vulnerability Details

4
GHSA
activesupport Cross-site Scripting vulnerability2017-10-24
OSV
activesupport Cross-site Scripting vulnerability2017-10-24
OSV
CVE-2012-1098: Cross-site scripting (XSS) vulnerability in Ruby on Rails 32012-03-13
CVEList
CVE-2012-1098: Cross-site scripting (XSS) vulnerability in Ruby on Rails 32012-03-13

📋Vendor Advisories

2
Red Hat
rubygem-activesupport: XSS in SafeBuffer#[] (unescaped safe buffers can be marked as safe)2012-03-01
Debian
CVE-2012-1098: rails - Cross-site scripting (XSS) vulnerability in Ruby on Rails 3.0.x before 3.0.12, 3...2012

💬Community

2
Bugzilla
CVE-2012-1098 rubygem-actionpack, rubygem-activesupport: XSS in SafeBuffer#[] (unescaped safe buffers can be marked as safe) [fedora-16]2012-03-05
Bugzilla
CVE-2012-1098 rubygem-activesupport: XSS in SafeBuffer#[] (unescaped safe buffers can be marked as safe)2012-03-02
CVE-2012-1098 — Cross-site Scripting in Rails | cvebase