CVE-2009-3009

Rails < 2.2.3 - XSS

Title source: rule

Description

Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings into a form helper.

References (14)

[Issue Tracking] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545063

[Patch] http://groups.google.com/group/rubyonrails-security/msg/7f57cd7794e1d1b4?dmode=source

[Mailing List] http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html

[Mailing List] http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html

[Vendor Advisory] http://secunia.com/advisories/36600

[Vendor Advisory] http://secunia.com/advisories/36717

[Patch] http://securitytracker.com/id?1022824

[Vendor Advisory] http://support.apple.com/kb/HT4077

[Various Sources] http://weblog.rubyonrails.org/2009/9/4/xss-vulnerability-in-ruby-on-rails

[Patch, Vendor Advisory] http://www.vupen.com/english/advisories/2009/2544

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/36278

[Third Party Advisory] http://www.debian.org/security/2009/dsa-1887

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/53036

[Third Party Advisory, VDB Entry] http://www.osvdb.org/57666

Scores

EPSS 0.0163

EPSS Percentile 81.7%

Classification

CWE

CWE-79

Status published

Affected Products (17)

rubyonrails/rails

rubygems/actionpack < 2.2.3RubyGems

... and 2 more

Timeline

Published Sep 08, 2009

Tracked Since Feb 18, 2026