GHSA-qv8p-v9qw-wc7g

Source

https://github.com/advisories/GHSA-qv8p-v9qw-wc7g

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-qv8p-v9qw-wc7g/GHSA-qv8p-v9qw-wc7g.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-qv8p-v9qw-wc7g

Aliases

CVE-2012-1098

Published

2017-10-24T18:33:38Z

Modified

2024-11-30T05:28:15.802926Z

Summary

activesupport Cross-site Scripting vulnerability

Details

Cross-site scripting (XSS) vulnerability in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving a SafeBuffer object that is manipulated through certain methods.

Database specific

{
    "nvd_published_at": "2012-03-13T10:55:01Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:52:51Z"
}

References

Affected packages

RubyGems / activesupport

Package

Name: activesupport
Purl: pkg:gem/activesupport

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0

Fixed

3.0.12

Affected versions

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4.rc1

3.0.4

3.0.5.rc1

3.0.5

3.0.6.rc1

3.0.6.rc2

3.0.6

3.0.7.rc1

3.0.7.rc2

3.0.7

3.0.8.rc1

3.0.8.rc2

3.0.8.rc4

3.0.8

3.0.9.rc1

3.0.9.rc3

3.0.9.rc4

3.0.9.rc5

3.0.9

3.0.10.rc1

3.0.10

3.0.11

3.0.12.rc1

RubyGems / activesupport

Package

Name: activesupport
Purl: pkg:gem/activesupport

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.0

Fixed

3.1.4

Affected versions

3.*

3.1.0

3.1.1.rc1

3.1.1.rc2

3.1.1.rc3

3.1.1

3.1.2.rc1

3.1.2.rc2

3.1.2

3.1.3

3.1.4.rc1

RubyGems / activesupport

Package

Name: activesupport
Purl: pkg:gem/activesupport

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.2.0

Fixed

3.2.2

Affected versions

3.*

3.2.0

3.2.1

3.2.2.rc1