MEDIUM
GHSA-2xjj-5x6h-8vmf
Cross-site Scripting in actionpack
Details
Cross-site scripting (XSS) vulnerability in `actionpack/lib/action_view/helpers/form_options_helper.rb` in the select helper in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving certain generation of OPTION elements within SELECT elements.
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://nvd.nist.gov/vuln/detail/CVE-2012-1099 [ADVISORY]
- https://bugzilla.redhat.com/show_bug.cgi?id=799276 [WEB]
- https://github.com/advisories/GHSA-2xjj-5x6h-8vmf [ADVISORY]
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2012-1099.yml [WEB]
- http://groups.google.com/group/rubyonrails-security/msg/6fca4f5c47705488?dmode=source&output=gplain [WEB]
- http://lists.fedoraproject.org/pipermail/package-announce/2012-March/075675.html [WEB]
- http://lists.fedoraproject.org/pipermail/package-announce/2012-March/075740.html [WEB]
- http://weblog.rubyonrails.org/2012/3/1/ann-rails-3-0-12-has-been-released [WEB]
- http://www.debian.org/security/2012/dsa-2466 [WEB]
- http://www.openwall.com/lists/oss-security/2012/03/02/6 [WEB]
- http://www.openwall.com/lists/oss-security/2012/03/03/1 [WEB]