CVE-2011-0446

Multiple cross-site scripting (XSS) vulnerabilities in the mail_to helper in Ruby on Rails before 2.3.11, and 3.x before 3.0.4, when javascript encoding is used, allow remote attackers to inject arbitrary web script or HTML via a crafted (1) name or (2) email value.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:rubyonrails:rails:2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.0.1:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.0.2:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.0.4:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.1.0:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.1.1:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.1.2:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.2.0:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.2.1:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.2.2:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*

History

21 Nov 2024, 01:23

Type Values Removed Values Added
References () http://groups.google.com/group/rubyonrails-security/msg/365b8a23b76a6b4a?dmode=source&output=gplain - Patch () http://groups.google.com/group/rubyonrails-security/msg/365b8a23b76a6b4a?dmode=source&output=gplain - Patch
References () http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html - () http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html -
References () http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055074.html - () http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055074.html -
References () http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055088.html - () http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055088.html -
References () http://secunia.com/advisories/43274 - () http://secunia.com/advisories/43274 -
References () http://secunia.com/advisories/43666 - () http://secunia.com/advisories/43666 -
References () http://www.debian.org/security/2011/dsa-2247 - () http://www.debian.org/security/2011/dsa-2247 -
References () http://www.securityfocus.com/bid/46291 - () http://www.securityfocus.com/bid/46291 -
References () http://www.securitytracker.com/id?1025064 - () http://www.securitytracker.com/id?1025064 -
References () http://www.vupen.com/english/advisories/2011/0587 - () http://www.vupen.com/english/advisories/2011/0587 -
References () http://www.vupen.com/english/advisories/2011/0877 - () http://www.vupen.com/english/advisories/2011/0877 -

Information

Published : 2011-02-14 21:00

Updated : 2024-11-21 01:23


NVD link : CVE-2011-0446

Mitre link : CVE-2011-0446

CVE.ORG link : CVE-2011-0446


JSON object : View

Products Affected

rubyonrails

  • rails
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')