GHSA-75w6-p6mg-vh8j
Suggest an improvement- Source
- https://github.com/advisories/GHSA-75w6-p6mg-vh8j
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-75w6-p6mg-vh8j/GHSA-75w6-p6mg-vh8j.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-75w6-p6mg-vh8j
- Aliases
- Published
- 2017-10-24T18:33:38Z
- Modified
- 2024-11-28T05:45:50.524919Z
- Summary
- Rails actionpack gem vulnerable to Cross-site Scripting
- Details
-
Multiple cross-site scripting (XSS) vulnerabilities in the
mail_tohelper in Ruby on Rails before 2.3.11, and 3.x before 3.0.4, when javascript encoding is used, allow remote attackers to inject arbitrary web script or HTML via a crafted (1) name or (2) email value. - Database specific
{ "github_reviewed": true, "severity": "MODERATE", "nvd_published_at": "2011-02-14T21:00:03Z", "github_reviewed_at": "2020-06-16T21:21:29Z", "cwe_ids": [ "CWE-79" ] }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2011-0446
- https://github.com/rails/rails/commit/abe97736b8316f1b714cac56c115c0779aa73217
- https://github.com/rails/rails/commit/e3dd2107c57a8efaaea5d61cf8da65f7444760b2
- https://github.com/rails/rails
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2011-0446.yml
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2011-0446.yml
- https://groups.google.com/g/rubyonrails-security/c/8CpI7egxX4E/m/SmtqtyOKWzYJ
- https://web.archive.org/web/20111225083933/http://secunia.com/advisories/43274
- https://web.archive.org/web/20111225083933/http://secunia.com/advisories/43666
- https://web.archive.org/web/20120527023027/http://www.securityfocus.com/bid/46291
- https://web.archive.org/web/20200812054342/http://www.securitytracker.com/id?1025064
- http://groups.google.com/group/rubyonrails-security/msg/365b8a23b76a6b4a?dmode=source&output=gplain
- http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html
- http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055074.html
- http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055088.html
- http://www.debian.org/security/2011/dsa-2247
Affected packages
RubyGems / actionpack
Package
- Name
- actionpack
- Purl
- pkg:gem/actionpack
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.3.11
Affected versions
0.*
0.9.0
0.9.5
1.*
1.0.0
1.0.1
1.1.0
1.2.0
1.3.0
1.3.1
1.4.0
1.5.0
1.5.1
1.6.0
1.7.0
1.8.0
1.8.1
1.9.0
1.9.1
1.10.1
1.10.2
1.11.0
1.11.1
1.11.2
1.12.0
1.12.1
1.12.2
1.12.3
1.12.4
1.12.5
1.13.0
1.13.1
1.13.2
1.13.3
1.13.4
1.13.5
1.13.6
2.*
2.0.0
2.0.1
2.0.2
2.0.4
2.0.5
2.1.0
2.1.1
2.1.2
2.2.2
2.2.3
2.3.2
2.3.3
2.3.4
2.3.5
2.3.6
2.3.7
2.3.8.pre1
2.3.8
2.3.9.pre
2.3.9
2.3.10
RubyGems / actionpack
Package
- Name
- actionpack
- Purl
- pkg:gem/actionpack
RubyGems / actionview
Package
- Name
- actionview
- Purl
- pkg:gem/actionview
RubyGems / actionview
Package
- Name
- actionview
- Purl
- pkg:gem/actionview