CVE-2012-1099
Ruby on Rails 3.0.x-3.0.11, 3.1.x-3.1.3, 3.2.x-3.2.1 - Cross-Site Scripting in Form Options Helper
Title source: llmDescription
Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_options_helper.rb in the select helper in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving certain generation of OPTION elements within SELECT elements.
References (8)
Core 8
Core References
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2012-March/075675.html
Mailing List mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2012/03/03/1
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2012-March/075740.html
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=799276
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2012/dsa-2466
Mailing List mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2012/03/02/6
Mailing List mailing-list
x_refsource_mlist
http://groups.google.com/group/rubyonrails-security/msg/6fca4f5c47705488?dmode=source&output=gplain
Various Sources x_refsource_confirm
http://weblog.rubyonrails.org/2012/3/1/ann-rails-3-0-12-has-been-released
Scores
EPSS
0.0040
EPSS Percentile
60.8%
Details
CWE
CWE-79
Status
published
Products (16)
rubygems/actionpack
3.0.0 - 3.0.12RubyGems
rubyonrails/rails
3.0.0 (7 CPE variants)
rubyonrails/rails
3.0.1 (2 CPE variants)
rubyonrails/rails
3.0.2 (2 CPE variants)
rubyonrails/rails
3.0.3
rubyonrails/rails
3.0.4 rc1
rubyonrails/rails
3.0.5 (2 CPE variants)
rubyonrails/rails
3.0.6 (3 CPE variants)
rubyonrails/rails
3.0.7 (3 CPE variants)
rubyonrails/rails
3.0.8 (5 CPE variants)
... and 6 more
Published
Mar 13, 2012
Tracked Since
Feb 18, 2026