Candidate: CVE-2011-0446
PublicDate: 2011-02-14 21:00:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0446
 http://groups.google.com/group/rubyonrails-security/msg/365b8a23b76a6b4a
Description:
 Multiple cross-site scripting (XSS) vulnerabilities in the mail_to helper
 in Ruby on Rails before 2.3.11, and 3.x before 3.0.4, when javascript
 encoding is used, allow remote attackers to inject arbitrary web script or
 HTML via a crafted (1) name or (2) email value.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS: 

Patches_rails:
 upstream: https://github.com/rails/rails/commit/abe97736b8316f1b714cac56c115c0779aa73217
upstream_rails: released (2.3.11,3.0.4)
dapper_rails: ignored (reached end-of-life)
hardy_rails: ignored (reached end-of-life)
karmic_rails: ignored (reached end-of-life)
lucid_rails: released (2.2.3-2ubuntu0.1)
maverick_rails: released (2.3.5-1.1ubuntu0.1)
natty_rails: released (2.3.5-1.2ubuntu1.1)
devel_rails: not-affected (2.3.14.1)