Cross-site Scripting Vulnerability in Active Support by Ruby on Rails
CVE-2015-3226

Currently unrated

Key Information:

Vendor: Rubyonrails
Status: Ruby On Rails; Rails
Vendor: CVE Published:; 26 July 2015

🔔 Create Rubyonrails Vulnerability Alert

What is CVE-2015-3226?

A cross-site scripting vulnerability exists in the Active Support component of Ruby on Rails, specifically in the json/encoding.rb file, which affects versions 3.x, as well as 4.1.x before version 4.1.11 and 4.2.x prior to version 4.2.2. This flaw allows remote attackers to perform injection of arbitrary web scripts or HTML owing to improper handling of a crafted Hash during JSON encoding. Such a security gap could enable attackers to execute malicious scripts in the context of the victim’s browser, potentially compromising user data and session integrity.

References

http://www.securitytracker.com/id/1033755

vdb-entryx_refsource_SECTRACK

https://groups.google.com/forum/message/raw?msg=rubyonrai...

mailing-listx_refsource_MLIST

http://www.securityfocus.com/bid/75231

vdb-entryx_refsource_BID

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 26, 2015
Vulnerability Reserved
Apr 10, 2015