CVE-2012-3463

Published: 10 August 2012

Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_tag_helper.rb in Ruby on Rails 3.x before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via the prompt field to the select_tag helper.

Notes

Author	Note
tyhicks	2.3.x is not affected

Priority

Status

Package	Release	Status
rails Launchpad, Ubuntu, Debian	artful	Not vulnerable (contains no code)
	bionic	Not vulnerable (contains no code)
	cosmic	Not vulnerable (contains no code)
	disco	Not vulnerable (contains no code)
	hardy	Not vulnerable
	lucid	Not vulnerable
	natty	Not vulnerable (2.3.5-1.2ubuntu1.1)
	oneiric	Not vulnerable (contains no code)
	precise	Not vulnerable (contains no code)
	quantal	Not vulnerable (contains no code)
	raring	Not vulnerable (contains no code)
	saucy	Not vulnerable (contains no code)
	trusty	Does not exist (trusty was not-affected [contains no code])
	upstream	Not vulnerable
	utopic	Not vulnerable (contains no code)
	vivid	Not vulnerable (contains no code)
	wily	Not vulnerable (contains no code)
	xenial	Not vulnerable (contains no code)
	yakkety	Not vulnerable (contains no code)
	zesty	Not vulnerable (contains no code)
ruby-actionpack-2.3 Launchpad, Ubuntu, Debian	artful	Does not exist
	bionic	Does not exist
	cosmic	Does not exist
	disco	Does not exist
	hardy	Does not exist
	lucid	Does not exist
	natty	Does not exist
	oneiric	Not vulnerable
	precise	Not vulnerable
	quantal	Not vulnerable
	raring	Not vulnerable
	saucy	Not vulnerable
	trusty	Does not exist
	upstream	Not vulnerable
	utopic	Does not exist
	vivid	Does not exist
	wily	Does not exist
	xenial	Does not exist
	yakkety	Does not exist
	zesty	Does not exist
ruby-actionpack-3.2 Launchpad, Ubuntu, Debian	artful	Does not exist
	bionic	Does not exist
	cosmic	Does not exist
	disco	Does not exist
	hardy	Does not exist
	lucid	Does not exist
	natty	Does not exist
	oneiric	Does not exist
	precise	Does not exist
	quantal	Ignored (end of life)
	raring	Ignored (end of life)
	saucy	Ignored (end of life)
	trusty	Does not exist (trusty was needed)
	upstream	Needed
	utopic	Does not exist
	vivid	Does not exist
	wily	Does not exist
	xenial	Does not exist
	yakkety	Does not exist
	zesty	Does not exist
ruby-rails-2.3 Launchpad, Ubuntu, Debian	artful	Does not exist
	bionic	Does not exist
	cosmic	Does not exist
	disco	Does not exist
	hardy	Does not exist
	lucid	Does not exist
	natty	Does not exist
	oneiric	Not vulnerable
	precise	Not vulnerable
	quantal	Not vulnerable
	raring	Not vulnerable
	saucy	Not vulnerable
	trusty	Does not exist
	upstream	Not vulnerable
	utopic	Does not exist
	vivid	Does not exist
	wily	Does not exist
	xenial	Does not exist
	yakkety	Does not exist
	zesty	Does not exist
ruby-rails-3.2 Launchpad, Ubuntu, Debian	artful	Does not exist
	bionic	Does not exist
	cosmic	Does not exist
	disco	Does not exist
	hardy	Does not exist
	lucid	Does not exist
	natty	Does not exist
	oneiric	Does not exist
	precise	Does not exist
	quantal	Not vulnerable (code not present)
	raring	Not vulnerable (code not present)
	saucy	Not vulnerable (code not present)
	trusty	Does not exist (trusty was not-affected [code not present])
	upstream	Not vulnerable
	utopic	Does not exist
	vivid	Does not exist
	wily	Does not exist
	xenial	Does not exist
	yakkety	Does not exist
	zesty	Does not exist

References

Bugs

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684454

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›