CVE-2012-1098
Ruby on Rails 3.0.x < 3.0.12, 3.1.x < 3.1.4, 3.2.x < 3.2.2 - Cross-Site Scripting via SafeBuffer Manipulation
Title source: llmDescription
Cross-site scripting (XSS) vulnerability in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving a SafeBuffer object that is manipulated through certain methods.
References (6)
Core 6
Core References
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2012-March/075675.html
Mailing List mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2012/03/03/1
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=799275
Mailing List mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2012/03/02/6
Mailing List mailing-list
x_refsource_mlist
http://groups.google.com/group/rubyonrails-security/msg/1c2e01a5e42722c9?dmode=source&output=gplain
Various Sources x_refsource_confirm
http://weblog.rubyonrails.org/2012/3/1/ann-rails-3-0-12-has-been-released
Scores
EPSS
0.0038
EPSS Percentile
59.4%
Details
CWE
CWE-79
Status
published
Products (16)
rubygems/activesupport
3.0.0 - 3.0.12RubyGems
rubyonrails/rails
3.0.0 (7 CPE variants)
rubyonrails/rails
3.0.1 (2 CPE variants)
rubyonrails/rails
3.0.2 (2 CPE variants)
rubyonrails/rails
3.0.3
rubyonrails/rails
3.0.4 rc1
rubyonrails/rails
3.0.5 (2 CPE variants)
rubyonrails/rails
3.0.6 (3 CPE variants)
rubyonrails/rails
3.0.7 (3 CPE variants)
rubyonrails/rails
3.0.8 (5 CPE variants)
... and 6 more
Published
Mar 13, 2012
Tracked Since
Feb 18, 2026