CVE-2015-3226Cross-site Scripting in Rails

CWE-79Cross-site Scripting10 documents7 sources
Severity
4.3MEDIUMNVD
EPSS
0.2%
top 56.24%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Rubyonrails RailsRubyonrails Ruby ON Rails
Timeline
PublishedJul 26
Latest updateOct 24

Description

Cross-site scripting (XSS) vulnerability in json/encoding.rb in Active Support in Ruby on Rails 3.x and 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted Hash that is mishandled during JSON encoding.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages3 packages

Debianrubyonrails/rails< 2:4.2.4-2+3
NVDrubyonrails/rails30 versions+29

🔴Vulnerability Details

4
GHSA
activesupport Cross-site Scripting vulnerability2017-10-24
OSV
activesupport Cross-site Scripting vulnerability2017-10-24
CVEList
CVE-2015-3226: Cross-site scripting (XSS) vulnerability in json/encoding2015-07-26
OSV
CVE-2015-3226: Cross-site scripting (XSS) vulnerability in json/encoding2015-07-26

📋Vendor Advisories

2
Red Hat
rubygem-activesupport: XSS Vulnerability in ActiveSupport::JSON.encode2015-06-16
Debian
CVE-2015-3226: rails - Cross-site scripting (XSS) vulnerability in json/encoding.rb in Active Support i...2015

💬Community

3
Bugzilla
CVE-2015-3226 rubygem-activesupport: XSS Vulnerability in ActiveSupport::JSON.encode [fedora-all]2015-07-31
Bugzilla
CVE-2015-3226 rubygem-activesupport: XSS Vulnerability in ActiveSupport::JSON.encode [epel-all]2015-07-31
Bugzilla
CVE-2015-3226 rubygem-activesupport: XSS Vulnerability in ActiveSupport::JSON.encode2015-06-16
CVE-2015-3226 — Cross-site Scripting in Rails | cvebase