Cross-Site Scripting Vulnerability in Ruby on Rails Framework
CVE-2012-3463

Currently unrated

Key Information:

Vendor: Rubyonrails
Status: Ruby On Rails; Rails
Vendor: CVE Published:; 10 August 2012

🔔 Create Rubyonrails Vulnerability Alert

What is CVE-2012-3463?

A cross-site scripting vulnerability exists in Ruby on Rails framework, specifically in the actionpack/lib/action_view/helpers/form_tag_helper.rb file. This issue affects versions of Ruby on Rails 3.x prior to 3.0.17, 3.1.x prior to 3.1.8, and 3.2.x prior to 3.2.8. Attackers can exploit this vulnerability to inject arbitrary web scripts or HTML through the prompt field of the select_tag helper, potentially compromising the integrity of web applications that utilize this feature.

References

http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-ha...

x_refsource_CONFIRM

https://groups.google.com/group/rubyonrails-security/msg/...

mailing-listx_refsource_MLIST

http://rhn.redhat.com/errata/RHSA-2013-0154.html

vendor-advisoryx_refsource_REDHAT

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 10, 2012
Vulnerability Reserved
Jun 14, 2012