Ruby On Rails Multiple Cross Site Scripting Vulnerabilities Network Vulnerability

Summary

This host is running Ruby on Rails and is prone to multiple cross site scripting vulnerabilities.

Impact

Successful exploitation will allow attackers to inject arbitrary web script or HTML via a crafted name or email value. Impact Level: Application

Solution

Upgrade to Ruby on Rails version 3.0.4 or 2.3.11. For updates refer to http://rubyonrails.org/download

Insight

The flaw is caused by an input validation error when processing 'name' or 'email' values while the ':encode => :javascript' option is used, which could allow cross site scripting attacks.

Affected

Ruby on Rails versions before 2.3.11, and 3.x before 3.0.4

References

http://groups.google.com/group/rubyonrails-security/msg/365b8a23b76a6b4a?dmode=source&output=gplain
http://www.vupen.com/english/advisories/2011/0343

Updated on 2015-03-25

Severity

Classification

CVE CVE-2011-0446

CVSS	Base Score: 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N

Related Vulnerabilities

Apache OFBiz Multiple Cross Site Scripting Vulnerabilities
Adobe ColdFusion Multiple Full Path Disclosure Vulnerabilities
Apache Tomcat Login Constraints Security Bypass Vulnerability
Ampache Reflected Cross Site Scripting Vulnerability
Apache Archiva Multiple Vulnerabilities

Ruby on Rails Multiple Cross Site Scripting Vulnerabilities

Take action and discover your vulnerabilities