MEDIUM

GHSA-gm25-fpmr-43fj

Moderate severity vulnerability that affects rails

Details

Cross-site scripting (XSS) vulnerability in the to_json (ActiveRecord::Base#to_json) function in Ruby on Rails before edge 9606 allows remote attackers to inject arbitrary web script via the input values.

Are you affected?

Enter the version of the package you're using.

Affected packages

RubyGems / rails

Introduced in: 0 Fixed in: 1.2.5

Fix bundle update rails

References

https://nvd.nist.gov/vuln/detail/CVE-2007-3227 [ADVISORY]
https://github.com/advisories/GHSA-gm25-fpmr-43fj [ADVISORY]
https://github.com/rails/rails [PACKAGE]
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2007-3227.yml [WEB]
http://bugs.gentoo.org/show_bug.cgi?id=195315 [WEB]
http://dev.rubyonrails.org/ticket/8371 [WEB]
http://osvdb.org/36378 [WEB]
http://pastie.caboo.se/65550.txt [WEB]
http://secunia.com/advisories/25699 [WEB]
http://secunia.com/advisories/27657 [WEB]
http://secunia.com/advisories/27756 [WEB]
http://security.gentoo.org/glsa/glsa-200711-17.xml [WEB]
http://weblog.rubyonrails.org/2007/10/12/rails-1-2-5-maintenance-release [WEB]
http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release [WEB]
http://www.novell.com/linux/security/advisories/2007_24_sr.html [WEB]
http://www.securityfocus.com/bid/24161 [WEB]
http://www.vupen.com/english/advisories/2007/2216 [WEB]