CVE-2012-3463
Published: 10 August 2012
Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_tag_helper.rb in Ruby on Rails 3.x before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via the prompt field to the select_tag helper.
Notes
Author | Note |
---|---|
tyhicks | 2.3.x is not affected |
Priority
Status
Package | Release | Status |
---|---|---|
rails Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(contains no code)
|
bionic |
Not vulnerable
(contains no code)
|
|
cosmic |
Not vulnerable
(contains no code)
|
|
disco |
Not vulnerable
(contains no code)
|
|
hardy |
Not vulnerable
|
|
lucid |
Not vulnerable
|
|
natty |
Not vulnerable
(2.3.5-1.2ubuntu1.1)
|
|
oneiric |
Not vulnerable
(contains no code)
|
|
precise |
Not vulnerable
(contains no code)
|
|
quantal |
Not vulnerable
(contains no code)
|
|
raring |
Not vulnerable
(contains no code)
|
|
saucy |
Not vulnerable
(contains no code)
|
|
trusty |
Does not exist
(trusty was not-affected [contains no code])
|
|
upstream |
Not vulnerable
|
|
utopic |
Not vulnerable
(contains no code)
|
|
vivid |
Not vulnerable
(contains no code)
|
|
wily |
Not vulnerable
(contains no code)
|
|
xenial |
Not vulnerable
(contains no code)
|
|
yakkety |
Not vulnerable
(contains no code)
|
|
zesty |
Not vulnerable
(contains no code)
|
|
ruby-actionpack-2.3 Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
disco |
Does not exist
|
|
hardy |
Does not exist
|
|
lucid |
Does not exist
|
|
natty |
Does not exist
|
|
oneiric |
Not vulnerable
|
|
precise |
Not vulnerable
|
|
quantal |
Not vulnerable
|
|
raring |
Not vulnerable
|
|
saucy |
Not vulnerable
|
|
trusty |
Does not exist
|
|
upstream |
Not vulnerable
|
|
utopic |
Does not exist
|
|
vivid |
Does not exist
|
|
wily |
Does not exist
|
|
xenial |
Does not exist
|
|
yakkety |
Does not exist
|
|
zesty |
Does not exist
|
|
ruby-actionpack-3.2 Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
disco |
Does not exist
|
|
hardy |
Does not exist
|
|
lucid |
Does not exist
|
|
natty |
Does not exist
|
|
oneiric |
Does not exist
|
|
precise |
Does not exist
|
|
quantal |
Ignored
(end of life)
|
|
raring |
Ignored
(end of life)
|
|
saucy |
Ignored
(end of life)
|
|
trusty |
Does not exist
(trusty was needed)
|
|
upstream |
Needed
|
|
utopic |
Does not exist
|
|
vivid |
Does not exist
|
|
wily |
Does not exist
|
|
xenial |
Does not exist
|
|
yakkety |
Does not exist
|
|
zesty |
Does not exist
|
|
ruby-rails-2.3 Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
disco |
Does not exist
|
|
hardy |
Does not exist
|
|
lucid |
Does not exist
|
|
natty |
Does not exist
|
|
oneiric |
Not vulnerable
|
|
precise |
Not vulnerable
|
|
quantal |
Not vulnerable
|
|
raring |
Not vulnerable
|
|
saucy |
Not vulnerable
|
|
trusty |
Does not exist
|
|
upstream |
Not vulnerable
|
|
utopic |
Does not exist
|
|
vivid |
Does not exist
|
|
wily |
Does not exist
|
|
xenial |
Does not exist
|
|
yakkety |
Does not exist
|
|
zesty |
Does not exist
|
|
ruby-rails-3.2 Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
disco |
Does not exist
|
|
hardy |
Does not exist
|
|
lucid |
Does not exist
|
|
natty |
Does not exist
|
|
oneiric |
Does not exist
|
|
precise |
Does not exist
|
|
quantal |
Not vulnerable
(code not present)
|
|
raring |
Not vulnerable
(code not present)
|
|
saucy |
Not vulnerable
(code not present)
|
|
trusty |
Does not exist
(trusty was not-affected [code not present])
|
|
upstream |
Not vulnerable
|
|
utopic |
Does not exist
|
|
vivid |
Does not exist
|
|
wily |
Does not exist
|
|
xenial |
Does not exist
|
|
yakkety |
Does not exist
|
|
zesty |
Does not exist
|
References
- http://www.openwall.com/lists/oss-security/2012/08/09/8
- https://groups.google.com/group/rubyonrails-security/msg/961e18e514527078?dmode=source&output=gplain
- http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released/
- https://www.cve.org/CVERecord?id=CVE-2012-3463
- NVD
- Launchpad
- Debian