4.3
CVSSv2

CVE-2012-1099

Vulnerability Summary

Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_options_helper.rb in the select helper in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving certain generation of OPTION elements within SELECT elements.

Vendor Advisories

Debian Bug report logs - #668607 CVE-2012-1099: Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_options_helperrb in the select helper in Ruby on Rails 30x Package: rails; Maintainer for rails is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@listsaliothdebianorg>; Source for rai ...
Debian Bug report logs - #668977 CVE-2012-1098: Cross-site scripting (XSS) vulnerability in Ruby on Rails 30x [check if applies to RoR 23] Package: rails; Maintainer for rails is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@listsaliothdebianorg>; Source for rails is src:rails (PTS, buildd, popcon) Report ...
Sergey Nartimov discovered that in Rails, a Ruby based framework for web development, when developers generate html options tags manually, user input concatenated with manually built tags may not be escaped and an attacker can inject arbitrary HTML into the document For the stable distribution (squeeze), this problem has been fixed in version 23 ...