GHSA-9p3v-wf2w-v29c
Suggest an improvement- Source
- https://github.com/advisories/GHSA-9p3v-wf2w-v29c
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-9p3v-wf2w-v29c/GHSA-9p3v-wf2w-v29c.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-9p3v-wf2w-v29c
- Aliases
- Published
- 2017-10-24T18:33:38Z
- Modified
- 2024-11-28T05:39:58.815128Z
- Summary
- Moderate severity vulnerability that affects rails
- Details
-
Cross-site scripting (XSS) vulnerability in the striptags function in Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote attackers to inject arbitrary web script or HTML via vectors involving non-printing ASCII characters, related to HTML::Tokenizer and actionpack/lib/actioncontroller/vendor/html-scanner/html/node.rb.
- Database specific
{ "nvd_published_at": "2009-12-07T17:30:00Z", "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:29:07Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2009-4214
- https://github.com/advisories/GHSA-9p3v-wf2w-v29c
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2009-4214.yml
- http://github.com/rails/rails
- http://github.com/rails/rails/commit/bfe032858077bb2946abe25e95e485ba6da86bd5
- http://groups.google.com/group/rubyonrails-security/browse_thread/thread/4d4f71f2aef4c0ab?pli=1
- http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
- http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html
- http://secunia.com/advisories/37446
- http://secunia.com/advisories/38915
- http://support.apple.com/kb/HT4077
- http://weblog.rubyonrails.org/2009/11/30/ruby-on-rails-2-3-5-released
- http://www.debian.org/security/2011/dsa-2260
- http://www.debian.org/security/2011/dsa-2301
- http://www.openwall.com/lists/oss-security/2009/11/27/2
- http://www.openwall.com/lists/oss-security/2009/12/08/3
- http://www.securityfocus.com/bid/37142
- http://www.securitytracker.com/id?1023245
- http://www.vupen.com/english/advisories/2009/3352
Affected packages
RubyGems / rails
Package
- Name
- rails
- Purl
- pkg:gem/rails
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.2.2
Affected versions
0.*
0.8.0
0.8.5
0.9.0
0.9.1
0.9.2
0.9.3
0.9.4
0.9.4.1
0.9.5
0.10.0
0.10.1
0.11.0
0.11.1
0.12.0
0.12.1
0.13.0
0.13.1
0.14.1
0.14.2
0.14.3
0.14.4
1.*
1.0.0
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
2.*
2.0.0
2.0.1
2.0.2
2.0.4
2.0.5
2.1.0
2.1.1
2.1.2
RubyGems / rails
Package
- Name
- rails
- Purl
- pkg:gem/rails