Summary
This host is running Ruby on Rails and is prone to cross-site scripting vulnerability.
Impact
Successful exploitation will allow attackers to execute arbitrary HTML and script code in a user's browser session in the context of an affected site.
Impact Level: Application
Solution
Upgrade to Ruby on Rails version 2.3.12 or 3.0.8 or 3.1.0.rc2 or later.
For updates refer to http://rubyonrails.org/download
Apply the patch for Ruby on Rails versions 3.1.0.rc1, 3.0.7 and 2.3.11 from below link.
http://weblog.rubyonrails.org/2011/6/8/potential-xss-vulnerability-in-ruby-on-rails-applications
Insight
The flaw is due to certain methods not properly handling the 'HTML safe' mark for strings, which can lead to improperly sanitised input being returned to the user.
Affected
Ruby on Rails version 2.x before 2.3.12, 3.0.x before 3.0.8 and 3.1.x before 3.1.0.rc2.
References
Severity
Classification
-
CVE CVE-2011-2197 -
CVSS Base Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Related Vulnerabilities
- Apache Struts Cross Site Scripting Vulnerability
- A4Desk Event Calendar 'eventid' Parameter SQL Injection Vulnerability
- AjaXplorer 'doc_file' Parameter Local File Disclosure Vulnerability
- Adobe Presenter viewer.swf and loadflash.js XSS Vulnerability
- Apache Tomcat Cross-Site Scripting and Security Bypass Vulnerabilities