CVE-2009-4214

Ruby on Rails <2.2.s & <2.3.5 - XSS

Title source: llm
STIX 2.1

Description

Cross-site scripting (XSS) vulnerability in the strip_tags function in Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote attackers to inject arbitrary web script or HTML via vectors involving non-printing ASCII characters, related to HTML::Tokenizer and actionpack/lib/action_controller/vendor/html-scanner/html/node.rb.

References (15)

Core 15
Core References
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/37446
Patch, Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2009/3352
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2011/dsa-2301
Mailing List vendor-advisory x_refsource_apple
http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
Patch vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/37142
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2011/dsa-2260
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2009/11/27/2
Vendor Advisory x_refsource_confirm
http://support.apple.com/kb/HT4077
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1023245
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/38915
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2009/12/08/3

Scores

EPSS 0.0163
EPSS Percentile 82.1%

Details

CWE
CWE-79
Status published
Products (48)
rubygems/rails 0 - 2.2.2RubyGems
rubyonrails/rails 2.3.2
rubyonrails/rails 2.3.3
rubyonrails/rails 2.3.4
rubyonrails/rails 0.9.1
rubyonrails/rails 0.9.2
rubyonrails/rails 0.9.3
rubyonrails/rails 0.9.4
rubyonrails/rails 0.9.4.1
rubyonrails/rails 0.10.0
... and 38 more
Published Dec 07, 2009
Tracked Since Feb 18, 2026