CVE-2007-3227

Ruby on Rails - Cross-Site Scripting via ActiveRecord::Base#to_json Input Values

Title source: llm

Description

Cross-site scripting (XSS) vulnerability in the to_json (ActiveRecord::Base#to_json) function in Ruby on Rails before edge 9606 allows remote attackers to inject arbitrary web script via the input values.

Exploits (1)

exploitdb WRITEUP VERIFIED

by BCC · textremotelinux

https://www.exploit-db.com/exploits/30089

View Code ZIP pw:eip

References (13)

Core 13

Core References

Various Sources x_refsource_confirm

http://pastie.caboo.se/65550.txt

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/25699

Vendor Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2007/2216

Third Party Advisory vendor-advisory x_refsource_gentoo

http://security.gentoo.org/glsa/glsa-200711-17.xml

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/27756

Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb

http://osvdb.org/36378

Issue Tracking x_refsource_confirm

http://bugs.gentoo.org/show_bug.cgi?id=195315

Various Sources x_refsource_confirm

http://weblog.rubyonrails.org/2007/10/12/rails-1-2-5-maintenance-release

Various Sources x_refsource_confirm

http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release

Vendor Advisory vendor-advisory x_refsource_suse

http://www.novell.com/linux/security/advisories/2007_24_sr.html

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/27657

Various Sources x_refsource_confirm

http://dev.rubyonrails.org/ticket/8371

Exploit vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/24161

Scores

EPSS 0.1395

EPSS Percentile 94.4%

Details

CWE

CWE-79

Status published

Products (2)

rubygems/rails 0 - 1.2.5RubyGems

rubyonrails/rails 1.1.5

Published Jun 14, 2007

Tracked Since Feb 18, 2026