Published: 07/12/2009 Updated: 08/08/2019

CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6

VMScore: 383

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Cross-site scripting (XSS) vulnerability in the strip_tags function in Ruby on Rails prior to 2.2.s, and 2.3.x prior to 2.3.5, allows remote malicious users to inject arbitrary web script or HTML via vectors involving non-printing ASCII characters, related to HTML::Tokenizer and actionpack/lib/action_controller/vendor/html-scanner/html/node.rb.

Vulnerable Product	Search on Vulmon	Subscribe to Product
rubyonrails rails 2.3.2
rubyonrails rails 2.3.3
rubyonrails rails 2.3.4
rubyonrails rails 1.9.5
rubyonrails rails 1.2.5
rubyonrails rails 1.1.5
rubyonrails rails 1.1.3
rubyonrails ruby on rails 0.8.0
rubyonrails ruby on rails 0.9.0
rubyonrails ruby on rails 0.5.0
rubyonrails ruby on rails 0.5.6
rubyonrails rails 0.13.0
rubyonrails rails 0.14.1
rubyonrails rails 0.11.0
rubyonrails rails 2.1.1
rubyonrails rails 2.0.4
rubyonrails rails 2.0.0
rubyonrails rails 2.0.1
rubyonrails rails 1.1.2
rubyonrails rails 1.1.1
rubyonrails rails 1.1.0
rubyonrails rails 1.0.0
rubyonrails ruby on rails 0.6.0
rubyonrails ruby on rails 0.6.5
rubyonrails ruby on rails 0.7.0
rubyonrails rails 0.12.0
rubyonrails rails 1.2.3
rubyonrails rails 1.2.2
rubyonrails rails 1.2.1
rubyonrails rails 1.2.0
rubyonrails rails 0.9.2
rubyonrails rails 0.9.3
rubyonrails rails 0.9.4
rubyonrails rails 0.9.4.1
rubyonrails rails 0.14.4
rubyonrails rails 0.13.1
rubyonrails rails 0.14.3
rubyonrails rails 0.14.2
rubyonrails rails 0.10.0
rubyonrails rails 2.1.0
rubyonrails rails 2.0.2
rubyonrails rails 1.2.6
rubyonrails rails 1.2.4
rubyonrails rails 1.1.6
rubyonrails rails 1.1.4
rubyonrails ruby on rails 0.8.5
rubyonrails rails 0.9.1
rubyonrails ruby on rails 0.5.5
rubyonrails ruby on rails 0.5.7
rubyonrails rails 0.11.1
rubyonrails rails 0.12.1
rubyonrails rails 0.10.1
rubyonrails ruby on rails

Debian Bug report logs - #558685 rails: [CVE-2009-4214] Cross-site scripting (XSS) vulnerability in the strip_tags Package: rails; Maintainer for rails is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@listsaliothdebianorg>; Source for rails is src:rails (PTS, buildd, popcon) Reported by: Michael Gilbert < ...

Two vulnerabilities were discovered in Ruby on Rails, a web application framework The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-3086 The cookie store may be vulnerable to a timing attack, potentially allowing remote attackers to forge message digests CVE-2009-4214 A cross-site scripting ...

Several vulnerabilities have been discovered in Rails, the Ruby web application framework The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-4214 A cross-site scripting (XSS) vulnerability had been found in the strip_tags function An attacker may inject non-printable characters that certain b ...

CWE-79 http://www.vupen.com/english/advisories/2009/3352 http://github.com/rails/rails/commit/bfe032858077bb2946abe25e95e485ba6da86bd5 http://www.securitytracker.com/id?1023245 http://www.openwall.com/lists/oss-security/2009/11/27/2 http://secunia.com/advisories/37446 http://www.securityfocus.com/bid/37142 http://weblog.rubyonrails.org/2009/11/30/ruby-on-rails-2-3-5-released http://groups.google.com/group/rubyonrails-security/browse_thread/thread/4d4f71f2aef4c0ab?pli=1 http://www.openwall.com/lists/oss-security/2009/12/08/3 http://secunia.com/advisories/38915 http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html http://support.apple.com/kb/HT4077 http://www.debian.org/security/2011/dsa-2260 http://www.debian.org/security/2011/dsa-2301 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=558685 https://nvd.nist.gov https://www.debian.org/security/./dsa-2260

CVE-2009-4214

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect