oss-sec mailing list archives
Re: CVE request: ruby on rails XSS Weakness in strip_tags
From: "Steven M. Christey" <coley () linus mitre org>
Date: Mon, 7 Dec 2009 21:16:11 -0500 (EST)
On Mon, 7 Dec 2009, Josh Bressers wrote:
I'm sorry for the delay on this. Please use CVE-2009-4132
Josh, MITRE assigned CVE-2009-4214 earlier today. Please verify these are duplicates, and if so, we will stick with CVE-2009-4214.
- Steve ====================================================== Name: CVE-2009-4214 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4214 Reference: MLIST:[oss-security] 20091127 CVE request: ruby on rails XSS Weakness in strip_tags Reference: URL:http://www.openwall.com/lists/oss-security/2009/11/27/2 Reference: MLIST:[rubyonrails-security] 20091127 XSS Weakness in strip_tags Reference: URL:http://groups.google.com/group/rubyonrails-security/browse_thread/thread/4d4f71f2aef4c0ab?pli=1 Reference: CONFIRM:http://github.com/rails/rails/commit/bfe032858077bb2946abe25e95e485ba6da86bd5 Reference: CONFIRM:http://weblog.rubyonrails.org/2009/11/30/ruby-on-rails-2-3-5-released Reference: BID:37142 Reference: URL:http://www.securityfocus.com/bid/37142 Reference: SECTRACK:1023245 Reference: URL:http://www.securitytracker.com/id?1023245 Reference: SECUNIA:37446 Reference: URL:http://secunia.com/advisories/37446 Reference: VUPEN:ADV-2009-3352 Reference: URL:http://www.vupen.com/english/advisories/2009/3352 Cross-site scripting (XSS) vulnerability in the strip_tags function in Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote attackers to inject arbitrary web script or HTML via vectors involving non-printing ASCII characters, related to HTML::Tokenizer and actionpack/lib/action_controller/vendor/html-scanner/html/node.rb.
Current thread:
- CVE request: ruby on rails XSS Weakness in strip_tags Thomas Biege (Nov 27)
- Re: CVE request: ruby on rails XSS Weakness in strip_tags Josh Bressers (Dec 07)
- Re: CVE request: ruby on rails XSS Weakness in strip_tags Steven M. Christey (Dec 07)
- Re: CVE request: ruby on rails XSS Weakness in strip_tags Josh Bressers (Dec 08)
- Re: CVE request: ruby on rails XSS Weakness in strip_tags Steven M. Christey (Dec 07)
- Re: CVE request: ruby on rails XSS Weakness in strip_tags Josh Bressers (Dec 07)