CVE-2009-3009: XSS
First published: Tue Sep 08 2009(Updated: )
Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings into a form helper.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| rubygems/activesupport | >=2.3.0<2.3.4 | 2.3.4 |
| rubygems/activesupport | >=2.0.0<2.2.3 | 2.2.3 |
| rubygems/actionpack | >=2.3.0<2.3.4 | 2.3.4 |
| rubygems/actionpack | >=2.0.0<2.2.3 | 2.2.3 |
| Ruby on Rails | =2.0.0 | |
| Ruby on Rails | =2.0.0-rc1 | |
| Ruby on Rails | =2.0.0-rc2 | |
| Ruby on Rails | =2.0.1 | |
| Ruby on Rails | =2.0.2 | |
| Ruby on Rails | =2.0.4 | |
| Ruby on Rails | =2.1.0 | |
| Ruby on Rails | =2.1.1 | |
| Ruby on Rails | =2.1.2 | |
| Ruby on Rails | =2.2.0 | |
| Ruby on Rails | =2.2.1 | |
| Ruby on Rails | =2.2.2 | |
| Ruby on Rails | =2.3.2 | |
| Ruby on Rails | =2.3.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.osvdb.org/57666
- http://www.vupen.com/english/advisories/2009/2544
- http://secunia.com/advisories/36600
- http://groups.google.com/group/rubyonrails-security/msg/7f57cd7794e1d1b4?dmode=source
- http://www.securityfocus.com/bid/36278
- http://weblog.rubyonrails.org/2009/9/4/xss-vulnerability-in-ruby-on-rails
- http://securitytracker.com/id?1022824
- http://secunia.com/advisories/36717
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545063
- http://www.debian.org/security/2009/dsa-1887
- http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html
- http://support.apple.com/kb/HT4077
- http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/53036
- https://nvd.nist.gov/vuln/detail/CVE-2009-3009
- https://github.com/advisories/GHSA-8qrh-h9m2-5fvf (Advisory)
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2009-3009.yml
Frequently Asked Questions
What is the severity of CVE-2009-3009?
CVE-2009-3009 is classified as a high-severity cross-site scripting (XSS) vulnerability.
How do I fix CVE-2009-3009?
To fix CVE-2009-3009, upgrade Ruby on Rails to version 2.2.3 or later, or version 2.3.4 or later.
Which Ruby on Rails versions are affected by CVE-2009-3009?
CVE-2009-3009 affects Ruby on Rails versions 2.x before 2.2.3 and 2.3.x before 2.3.4.
What type of vulnerability is CVE-2009-3009?
CVE-2009-3009 is a cross-site scripting (XSS) vulnerability that allows attackers to inject malicious scripts.
Can CVE-2009-3009 be exploited remotely?
Yes, CVE-2009-3009 can be exploited remotely by injecting malformed Unicode strings into form helpers.
- collector/github-advisory-latest
- alias/GHSA-8qrh-h9m2-5fvf
- alias/CVE-2009-3009
- collector/github-advisory
- agent/author
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/weakness
- agent/severity
- agent/remedy
- agent/references
- agent/description
- agent/first-publish-date
- agent/event
- agent/trending
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-cve
- collector/nvd-historical
- package-manager/rubygems
- vendor/rubyonrails
- canonical/ruby on rails
- version/ruby on rails/2.0.0
- version/ruby on rails/2.0.0-rc1
- version/ruby on rails/2.0.0-rc2
- version/ruby on rails/2.0.1
- version/ruby on rails/2.0.2
- version/ruby on rails/2.0.4
- version/ruby on rails/2.1.0
- version/ruby on rails/2.1.1
- version/ruby on rails/2.1.2
- version/ruby on rails/2.2.0
- version/ruby on rails/2.2.1
- version/ruby on rails/2.2.2
- version/ruby on rails/2.3.2
- version/ruby on rails/2.3.3