Cross-site Scripting (XSS) Affecting activesupport package, versions < 3.2.8, >= 3.2< 3.1.8, >= 3.1< 3.0.17


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.22% (61st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Cross-site Scripting (XSS) vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-RUBY-ACTIVESUPPORT-20036
  • published8 Aug 2012
  • disclosed8 Aug 2012
  • creditUnknown

Introduced: 8 Aug 2012

CVE-2012-3464  (opens in a new tab)
CWE-79  (opens in a new tab)

Overview

activesupport is toolkit of support libraries and Ruby core extensions extracted from the Rails framework.

Affected versions of this package are vulnerable to Cross-site Scripting. The HTML escaping code functionality does not properly escape a single quote character. This may allow a user to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

Details

<>

References

CVSS Scores

version 3.1