CVE-2009-3009

Description

Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings into a form helper.

How to fix CVE-2009-3009

To remediate CVE-2009-3009, upgrade the affected package to a fixed version below.

• Debian/rails—upgrade to 2.2.3-1 or later
• Debian/rails—upgrade to 2.1.0-7 or later
• RubyGems/actionpack—upgrade to 2.2.3 or later
• —upgrade to 2.2.3 or later

Is CVE-2009-3009 being exploited?

Low — EPSS is 1.6%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

• from 0, < 2.2.3-1
• from 0, < 2.1.0-7
• >= 2.0.0, < 2.2.3
• >= 2.0.0, < 2.2.3

References (18)

• ADVISORYgithub.com/advisories/GHSA-8qrh-h9m2-5fvf
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2009-3009
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2009-3009
• WEBbugs.debian.org/cgi-bin/bugreport.cgi?bug=545063