CVE-2011-2197

EPSS 0.44%
Published 30.06.2011 15:55:01
Last modified 11.04.2025 00:51:21
Source secalert@redhat.com
Teams watchlist Login
Open Login

The cross-site scripting (XSS) prevention feature in Ruby on Rails 2.x before 2.3.12, 3.0.x before 3.0.8, and 3.1.x before 3.1.0.rc2 does not properly handle mutation of safe buffers, which makes it easier for remote attackers to conduct XSS attacks via crafted strings to an application that uses a problematic string method, as demonstrated by the sub method.

Affected products Warnungen 0 Metrics 2 CWE 1 References 10

Data is provided by the National Vulnerability Database (NVD)

Rubyonrails ≫ Rails Version2.0.0

Rubyonrails ≫ Rails Version2.0.0 Updaterc1

Rubyonrails ≫ Rails Version2.0.0 Updaterc2

Rubyonrails ≫ Rails Version2.0.1

Rubyonrails ≫ Rails Version2.0.2

Rubyonrails ≫ Rails Version2.0.4

Rubyonrails ≫ Rails Version2.1.0

Rubyonrails ≫ Rails Version2.1.1

Rubyonrails ≫ Rails Version2.1.2

Rubyonrails ≫ Rails Version2.2.0

Rubyonrails ≫ Rails Version2.2.1

Rubyonrails ≫ Rails Version2.2.2

Rubyonrails ≫ Rails Version2.3.2

Rubyonrails ≫ Rails Version2.3.3

Rubyonrails ≫ Rails Version2.3.4

Rubyonrails ≫ Rails Version2.3.9

Rubyonrails ≫ Rails Version2.3.10

Rubyonrails ≫ Rails Version2.3.11

Rubyonrails ≫ Rails Version3.0.0

Rubyonrails ≫ Rails Version3.0.0 Updatebeta

Rubyonrails ≫ Rails Version3.0.0 Updatebeta2

Rubyonrails ≫ Rails Version3.0.0 Updatebeta3

Rubyonrails ≫ Rails Version3.0.0 Updatebeta4

Rubyonrails ≫ Rails Version3.0.0 Updaterc

Rubyonrails ≫ Rails Version3.0.0 Updaterc2

Rubyonrails ≫ Rails Version3.0.1

Rubyonrails ≫ Rails Version3.0.1 Updatepre

Rubyonrails ≫ Rails Version3.0.2

Rubyonrails ≫ Rails Version3.0.2 Updatepre

Rubyonrails ≫ Rails Version3.0.3

Rubyonrails ≫ Rails Version3.0.4 Updaterc1

Rubyonrails ≫ Rails Version3.0.5

Rubyonrails ≫ Rails Version3.0.5 Updaterc1

Rubyonrails ≫ Rails Version3.0.6

Rubyonrails ≫ Rails Version3.0.6 Updaterc1

Rubyonrails ≫ Rails Version3.0.6 Updaterc2

Rubyonrails ≫ Rails Version3.0.7

Rubyonrails ≫ Rails Version3.0.7 Updaterc1

Rubyonrails ≫ Rails Version3.0.7 Updaterc2

Rubyonrails ≫ Rails Version3.0.8 Updaterc1

Rubyonrails ≫ Rails Version3.0.8 Updaterc2

Rubyonrails ≫ Rails Version3.0.8 Updaterc3

Rubyonrails ≫ Rails Version3.0.8 Updaterc4

Rubyonrails ≫ Ruby On Rails Version3.0.4

Rubyonrails ≫ Rails Version3.1.0

Rubyonrails ≫ Rails Version3.1.0 Updatebeta1

Rubyonrails ≫ Rails Version3.1.0 Updaterc1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.44%	0.603

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:P/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

http://groups.google.com/group/rubyonrails-security/msg/663b600d4471e0d4?dmode=source&output=gplain

Patch

http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062514.html

http://lists.fedoraproject.org/pipermail/package-announce/2011-June/062090.html

http://openwall.com/lists/oss-security/2011/06/09/2

Patch

http://openwall.com/lists/oss-security/2011/06/13/9

Patch

http://secunia.com/advisories/44789

Vendor Advisory

http://weblog.rubyonrails.org/2011/6/8/potential-xss-vulnerability-in-ruby-on-rails-applications

Patch

https://nvd.nist.gov/vuln/detail/CVE-2011-2197

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2011-2197

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2011-2197

EUVD