CVE-2012-1099

Description

Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_options_helper.rb in the select helper in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving certain generation of OPTION elements within SELECT elements.

How to fix CVE-2012-1099

To remediate CVE-2012-1099, upgrade the affected package to a fixed version below.

• Debian/rails—upgrade to 2.3.14 or later
• Debian/rails—upgrade to 2.3.5-1.2+squeeze3 or later
• —upgrade to 3.0.12 or later

Is CVE-2012-1099 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

• from 0, < 2.3.14
• from 0, < 2.3.5-1.2+squeeze3
• >= 3.0.0, < 3.0.12

References (12)

• ADVISORYgithub.com/advisories/GHSA-2xjj-5x6h-8vmf
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2012-1099
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2012-1099
• WEBgroups.google.com/group/rubyonrails-security/msg/6fca4f5c47705488?dmode=source&output=gplain