-
-
Notifications
You must be signed in to change notification settings - Fork 218
/
CVE-2011-2197.yml
32 lines (32 loc) · 1.5 KB
/
CVE-2011-2197.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
---
gem: activesupport
framework: rails
cve: 2011-2197
ghsa: v9v4-7jp6-8c73
url: http://weblog.rubyonrails.org/2011/6/8/potential-xss-vulnerability-in-ruby-on-rails-applications
title: Potential XSS Vulnerability in Ruby on Rails Applications
date: 2017-10-24
description: |
The cross-site scripting (XSS) prevention feature in Ruby on Rails 2.x
before 2.3.12, 3.0.x before 3.0.8, and 3.1.x before 3.1.0.rc2 does
not properly handle mutation of safe buffers, which makes it easier
for remote attackers to conduct XSS attacks via crafted strings to an
application that uses a problematic string method, as demonstrated
by the sub method.
cvss_v2: 4.3
patched_versions:
- "~> 2.3.12"
- ">= 3.0.8"
related:
url:
- https://nvd.nist.gov/vuln/detail/CVE-2011-2197
- http://weblog.rubyonrails.org/2011/6/8/potential-xss-vulnerability-in-ruby-on-rails-applications
- https://github.com/rails/rails/commit/53a2c0baf2b128dd4808eca313256f6f4bb8c4cd
- https://github.com/rails/rails/commit/ed3796434af6069ced6a641293cf88eef3b284da
- https://groups.google.com/g/rubyonrails-security/c/LlFuesyWxPs/m/1OBxRA1gO2YJ
- https://gist.github.com/NZKoz/b2ceb626fc2bcdfe497f
- https://github.com/advisories/GHSA-v9v4-7jp6-8c73
- http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062514.html
- http://lists.fedoraproject.org/pipermail/package-announce/2011-June/062090.html
- http://openwall.com/lists/oss-security/2011/06/09/2
- http://openwall.com/lists/oss-security/2011/06/13/9