CVE-2012-1098 — activesupport Cross-site Scripting vulnerability

Description

Cross-site scripting (XSS) vulnerability in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving a SafeBuffer object that is manipulated through certain methods.

How to fix CVE-2012-1098

To remediate CVE-2012-1098, upgrade the affected package to a fixed version below.

Debian/rails—upgrade to 2.3.14 or later
RubyGems/activesupport—upgrade to 3.0.12 or later

Is CVE-2012-1098 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2.3.14
>= 3.0.0, < 3.0.12

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2012-1098
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2012-1098
WEBgroups.google.com/group/rubyonrails-security/msg/1c2e01a5e42722c9?dmode=source&output=gplain
WEBlists.fedoraproject.org/pipermail/package-announce/2012-March/075675.html