4.3

CVE-2011-2932

Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails 2.x before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a malformed Unicode string, related to a "UTF-8 escaping vulnerability."
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
RubyonrailsRails Version2.0.0
RubyonrailsRails Version2.0.0 Updaterc1
RubyonrailsRails Version2.0.0 Updaterc2
RubyonrailsRails Version2.0.1
RubyonrailsRails Version2.0.2
RubyonrailsRails Version2.0.4
RubyonrailsRails Version2.1.0
RubyonrailsRails Version2.1.1
RubyonrailsRails Version2.1.2
RubyonrailsRails Version2.2.0
RubyonrailsRails Version2.2.1
RubyonrailsRails Version2.2.2
RubyonrailsRails Version2.3.2
RubyonrailsRails Version2.3.3
RubyonrailsRails Version2.3.4
RubyonrailsRails Version2.3.9
RubyonrailsRails Version2.3.10
RubyonrailsRails Version2.3.11
RubyonrailsRails Version2.3.12
RubyonrailsRails Version3.0.0
RubyonrailsRails Version3.0.0 Updatebeta
RubyonrailsRails Version3.0.0 Updatebeta2
RubyonrailsRails Version3.0.0 Updatebeta3
RubyonrailsRails Version3.0.0 Updatebeta4
RubyonrailsRails Version3.0.0 Updaterc
RubyonrailsRails Version3.0.0 Updaterc2
RubyonrailsRails Version3.0.1
RubyonrailsRails Version3.0.1 Updatepre
RubyonrailsRails Version3.0.2
RubyonrailsRails Version3.0.2 Updatepre
RubyonrailsRails Version3.0.3
RubyonrailsRails Version3.0.4 Updaterc1
RubyonrailsRails Version3.0.5
RubyonrailsRails Version3.0.5 Updaterc1
RubyonrailsRails Version3.0.6
RubyonrailsRails Version3.0.6 Updaterc1
RubyonrailsRails Version3.0.6 Updaterc2
RubyonrailsRails Version3.0.7
RubyonrailsRails Version3.0.7 Updaterc1
RubyonrailsRails Version3.0.7 Updaterc2
RubyonrailsRails Version3.0.8
RubyonrailsRails Version3.0.8 Updaterc1
RubyonrailsRails Version3.0.8 Updaterc2
RubyonrailsRails Version3.0.8 Updaterc3
RubyonrailsRails Version3.0.8 Updaterc4
RubyonrailsRails Version3.0.9
RubyonrailsRails Version3.0.9 Updaterc1
RubyonrailsRails Version3.0.9 Updaterc2
RubyonrailsRails Version3.0.9 Updaterc3
RubyonrailsRails Version3.0.9 Updaterc4
RubyonrailsRails Version3.0.9 Updaterc5
RubyonrailsRails Version3.0.10 Updaterc1
RubyonrailsRails Version3.1.0
RubyonrailsRails Version3.1.0 Updatebeta1
RubyonrailsRails Version3.1.0 Updaterc1
RubyonrailsRails Version3.1.0 Updaterc2
RubyonrailsRails Version3.1.0 Updaterc3
RubyonrailsRails Version3.1.0 Updaterc4
RubyonrailsRuby On Rails Version3.0.4
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 2.49% 0.826
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:N/I:P/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html
http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6
Patch
http://www.openwall.com/lists/oss-security/2011/08/17/1
Patch
http://www.openwall.com/lists/oss-security/2011/08/19/11
Patch
http://www.openwall.com/lists/oss-security/2011/08/20/1
Patch
http://www.openwall.com/lists/oss-security/2011/08/22/13
Patch
http://www.openwall.com/lists/oss-security/2011/08/22/14
http://www.openwall.com/lists/oss-security/2011/08/22/5
Patch
http://groups.google.com/group/rubyonrails-security/msg/f1d2749773db9f21?dmode=source&output=gplain
Patch
http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065114.html
http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065189.html
http://secunia.com/advisories/45917
https://bugzilla.redhat.com/show_bug.cgi?id=731435
Patch
https://github.com/rails/rails/commit/bfc432574d0b141fd7fe759edfe9b6771dd306bd
Patch