4.3

CVE-2011-2931

Cross-site scripting (XSS) vulnerability in the strip_tags helper in actionpack/lib/action_controller/vendor/html-scanner/html/node.rb in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a tag with an invalid name.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
RubyonrailsRails Version2.0.0
RubyonrailsRails Version2.0.0 Updaterc1
RubyonrailsRails Version2.0.0 Updaterc2
RubyonrailsRails Version2.0.1
RubyonrailsRails Version2.0.2
RubyonrailsRails Version2.0.4
RubyonrailsRails Version2.1.0
RubyonrailsRails Version2.1.1
RubyonrailsRails Version2.1.2
RubyonrailsRails Version2.2.0
RubyonrailsRails Version2.2.1
RubyonrailsRails Version2.2.2
RubyonrailsRails Version2.3.2
RubyonrailsRails Version2.3.3
RubyonrailsRails Version2.3.4
RubyonrailsRails Version2.3.9
RubyonrailsRails Version2.3.10
RubyonrailsRails Version2.3.11
RubyonrailsRails Version2.3.12
RubyonrailsRails Version3.0.0
RubyonrailsRails Version3.0.0 Updatebeta
RubyonrailsRails Version3.0.0 Updatebeta2
RubyonrailsRails Version3.0.0 Updatebeta3
RubyonrailsRails Version3.0.0 Updatebeta4
RubyonrailsRails Version3.0.0 Updaterc
RubyonrailsRails Version3.0.0 Updaterc2
RubyonrailsRails Version3.0.1
RubyonrailsRails Version3.0.1 Updatepre
RubyonrailsRails Version3.0.2
RubyonrailsRails Version3.0.2 Updatepre
RubyonrailsRails Version3.0.3
RubyonrailsRails Version3.0.4 Updaterc1
RubyonrailsRails Version3.0.5
RubyonrailsRails Version3.0.5 Updaterc1
RubyonrailsRails Version3.0.6
RubyonrailsRails Version3.0.6 Updaterc1
RubyonrailsRails Version3.0.6 Updaterc2
RubyonrailsRails Version3.0.7
RubyonrailsRails Version3.0.7 Updaterc1
RubyonrailsRails Version3.0.7 Updaterc2
RubyonrailsRails Version3.0.8
RubyonrailsRails Version3.0.8 Updaterc1
RubyonrailsRails Version3.0.8 Updaterc2
RubyonrailsRails Version3.0.8 Updaterc3
RubyonrailsRails Version3.0.8 Updaterc4
RubyonrailsRails Version3.0.9
RubyonrailsRails Version3.0.9 Updaterc1
RubyonrailsRails Version3.0.9 Updaterc2
RubyonrailsRails Version3.0.9 Updaterc3
RubyonrailsRails Version3.0.9 Updaterc4
RubyonrailsRails Version3.0.9 Updaterc5
RubyonrailsRails Version3.0.10 Updaterc1
RubyonrailsRails Version3.1.0
RubyonrailsRails Version3.1.0 Updatebeta1
RubyonrailsRails Version3.1.0 Updaterc1
RubyonrailsRails Version3.1.0 Updaterc2
RubyonrailsRails Version3.1.0 Updaterc3
RubyonrailsRails Version3.1.0 Updaterc4
RubyonrailsRuby On Rails Version3.0.4
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 2.49% 0.826
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:N/I:P/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

http://www.debian.org/security/2011/dsa-2301
http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065109.html
http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html
http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6
Patch
http://www.openwall.com/lists/oss-security/2011/08/17/1
Patch
http://www.openwall.com/lists/oss-security/2011/08/19/11
Patch
http://www.openwall.com/lists/oss-security/2011/08/20/1
Patch
http://www.openwall.com/lists/oss-security/2011/08/22/13
Patch
http://www.openwall.com/lists/oss-security/2011/08/22/14
http://www.openwall.com/lists/oss-security/2011/08/22/5
Patch
http://groups.google.com/group/rubyonrails-security/msg/fd41ab62966e0fd1?dmode=source&output=gplain
Patch
http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065137.html
http://secunia.com/advisories/45921
https://bugzilla.redhat.com/show_bug.cgi?id=731436
Patch
https://github.com/rails/rails/commit/586a944ddd4d03e66dea1093306147594748037a
Patch