GHSA-2xjj-5x6h-8vmf

Suggest an improvement
Source
https://github.com/advisories/GHSA-2xjj-5x6h-8vmf
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-2xjj-5x6h-8vmf/GHSA-2xjj-5x6h-8vmf.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-2xjj-5x6h-8vmf
Aliases
Published
2017-10-24T18:33:38Z
Modified
2024-11-29T05:39:55.787577Z
Summary
Cross-site Scripting in actionpack
Details

Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_options_helper.rb in the select helper in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving certain generation of OPTION elements within SELECT elements.

Database specific
{
    "nvd_published_at": "2012-03-13T10:55:01Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T20:53:21Z"
}
References

Affected packages

RubyGems / actionpack

Package

Name
actionpack
Purl
pkg:gem/actionpack

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
3.0.12

Affected versions

3.*

3.0.0
3.0.1
3.0.2
3.0.3
3.0.4.rc1
3.0.4
3.0.5.rc1
3.0.5
3.0.6.rc1
3.0.6.rc2
3.0.6
3.0.7.rc1
3.0.7.rc2
3.0.7
3.0.8.rc1
3.0.8.rc2
3.0.8.rc4
3.0.8
3.0.9.rc1
3.0.9.rc3
3.0.9.rc4
3.0.9.rc5
3.0.9
3.0.10.rc1
3.0.10
3.0.11
3.0.12.rc1

RubyGems / actionpack

Package

Name
actionpack
Purl
pkg:gem/actionpack

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.1.0
Fixed
3.1.4

Affected versions

3.*

3.1.0
3.1.1.rc1
3.1.1.rc2
3.1.1.rc3
3.1.1
3.1.2.rc1
3.1.2.rc2
3.1.2
3.1.3
3.1.4.rc1

RubyGems / actionpack

Package

Name
actionpack
Purl
pkg:gem/actionpack

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.2.0
Fixed
3.2.2

Affected versions

3.*

3.2.0
3.2.1
3.2.2.rc1