Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2009-3009

Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings into a form helper.

Published

2009-09-08T18:30:00.327

Last Modified

2025-04-09T00:30:58.490

Status

Deferred

Source

[email protected]

Severity

CVSSv2: 4.3 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

8.6

Impact Score

2.9

Weaknesses

Type: Primary
CWE-79

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	rubyonrails	rails	2.0.0	Yes
Application	rubyonrails	rails	2.0.0	Yes
Application	rubyonrails	rails	2.0.0	Yes
Application	rubyonrails	rails	2.0.1	Yes
Application	rubyonrails	rails	2.0.2	Yes
Application	rubyonrails	rails	2.0.4	Yes
Application	rubyonrails	rails	2.1.0	Yes
Application	rubyonrails	rails	2.1.1	Yes
Application	rubyonrails	rails	2.1.2	Yes
Application	rubyonrails	rails	2.2.0	Yes
Application	rubyonrails	rails	2.2.1	Yes
Application	rubyonrails	rails	2.2.2	Yes
Application	rubyonrails	rails	2.3.2	Yes
Application	rubyonrails	rails	2.3.3	Yes

References

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545063 ([email protected])
http://groups.google.com/group/rubyonrails-security/msg/7f57cd7794e1d1b4?dmode=source Patch ([email protected])
http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html ([email protected])
http://secunia.com/advisories/36600 Vendor Advisory ([email protected])
http://secunia.com/advisories/36717 Vendor Advisory ([email protected])
http://securitytracker.com/id?1022824 Patch ([email protected])
http://support.apple.com/kb/HT4077 ([email protected])
http://weblog.rubyonrails.org/2009/9/4/xss-vulnerability-in-ruby-on-rails ([email protected])
http://www.debian.org/security/2009/dsa-1887 ([email protected])
http://www.osvdb.org/57666 ([email protected])
http://www.securityfocus.com/bid/36278 ([email protected])
http://www.vupen.com/english/advisories/2009/2544 Patch, Vendor Advisory ([email protected])
https://exchange.xforce.ibmcloud.com/vulnerabilities/53036 ([email protected])
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545063 (af854a3a-2127-422b-91ae-364da2661108)
http://groups.google.com/group/rubyonrails-security/msg/7f57cd7794e1d1b4?dmode=source Patch (af854a3a-2127-422b-91ae-364da2661108)
http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/36600 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/36717 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://securitytracker.com/id?1022824 Patch (af854a3a-2127-422b-91ae-364da2661108)
http://support.apple.com/kb/HT4077 (af854a3a-2127-422b-91ae-364da2661108)
http://weblog.rubyonrails.org/2009/9/4/xss-vulnerability-in-ruby-on-rails (af854a3a-2127-422b-91ae-364da2661108)
http://www.debian.org/security/2009/dsa-1887 (af854a3a-2127-422b-91ae-364da2661108)
http://www.osvdb.org/57666 (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/36278 (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2009/2544 Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://exchange.xforce.ibmcloud.com/vulnerabilities/53036 (af854a3a-2127-422b-91ae-364da2661108)