CVE-2009-3009

Ruby on Rails 2.x < 2.2.3 and 2.3.x < 2.3.4 - Cross-Site Scripting via Malformed Unicode Strings

Title source: llm
STIX 2.1

Description

Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings into a form helper.

References (14)

Core 14
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/36278
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/36600
Mailing List vendor-advisory x_refsource_apple
http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
Patch, Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2009/2544
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/53036
Vendor Advisory x_refsource_confirm
http://support.apple.com/kb/HT4077
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2009/dsa-1887
Issue Tracking x_refsource_confirm
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545063
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/57666
Patch vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1022824
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/36717

Scores

EPSS 0.0163
EPSS Percentile 82.1%

Details

CWE
CWE-79
Status published
Products (14)
rubygems/actionpack 2.0.0 - 2.2.3RubyGems
rubygems/activesupport 2.0.0 - 2.2.3RubyGems
rubyonrails/rails 2.0.0 (3 CPE variants)
rubyonrails/rails 2.0.1
rubyonrails/rails 2.0.2
rubyonrails/rails 2.0.4
rubyonrails/rails 2.1.0
rubyonrails/rails 2.1.1
rubyonrails/rails 2.1.2
rubyonrails/rails 2.2.0
... and 4 more
Published Sep 08, 2009
Tracked Since Feb 18, 2026