What is the severity of CVE-2011-2932?

CVE-2011-2932 has a medium severity level due to its potential for cross-site scripting exploitation.

How do I fix CVE-2011-2932?

To fix CVE-2011-2932, upgrade to activesupport versions 3.0.10 or 2.3.13 or later.

What applications are affected by CVE-2011-2932?

CVE-2011-2932 affects Ruby on Rails versions prior to 3.0.10 and 2.3.13.

Can CVE-2011-2932 lead to data breaches?

Yes, CVE-2011-2932 can allow attackers to execute malicious scripts, potentially leading to data breaches.

What kind of attack can CVE-2011-2932 facilitate?

CVE-2011-2932 can facilitate cross-site scripting (XSS) attacks against vulnerable applications.

Vulnerability/
CVE-2011-2932

medium

4.3

CWE

17/8/2011

29/8/2011

24/10/2017

6/8/2024

CVE-2011-2932: XSS

First published: Wed Aug 17 2011(Updated: )

An XSS vulnerability in the escaping code used by Ruby on Rails was reported [1] where, using a specially crafted malformed unicode string, an attacker can bypass the escaping code. Due to a bug in the Ruby 1.8 regular expression code, the Ruby on Rails replacement for ERB::Util.h will fail to escape certain malformed unicode strings, which could then be interpreted as HTML by some browsers. This is corrected in upstream 3.0.10, 2.3.13, and 3.1.0rc5 versions and only affects platforms using Ruby 1.8.x (Ruby 1.9.x renders this ineffective). Patches are available in the advisory [1] and in git [2]. [1] <a href="http://groups.google.com/group/rubyonrails-security/browse_thread/thread/56bffb5923ab1195">http://groups.google.com/group/rubyonrails-security/browse_thread/thread/56bffb5923ab1195</a> [2] <a href="https://github.com/rails/rails/commit/bfc432574d0b141fd7fe759edfe9b6771dd306bd">https://github.com/rails/rails/commit/bfc432574d0b141fd7fe759edfe9b6771dd306bd</a>

Credit: secalert@redhat.com secalert@redhat.com

Affected Software	Affected Version	How to fix
rubygems/activesupport	>=3.0.0<3.0.10	3.0.10
rubygems/activesupport	>=2.0.0<2.3.13	2.3.13
redhat/rubygem-activesupport	<2.3.13	2.3.13
redhat/rubygem-activesupport	<3.0.10	3.0.10
redhat/rubygem-activesupport	<3.1.0	3.1.0
rubyonrails Rails	=2.0.0
rubyonrails Rails	=2.0.0-rc1
rubyonrails Rails	=2.0.0-rc2
rubyonrails Rails	=2.0.1
rubyonrails Rails	=2.0.2
rubyonrails Rails	=2.0.4
rubyonrails Rails	=2.1.0
rubyonrails Rails	=2.1.1
rubyonrails Rails	=2.1.2
rubyonrails Rails	=2.2.0
rubyonrails Rails	=2.2.1
rubyonrails Rails	=2.2.2
rubyonrails Rails	=2.3.2
rubyonrails Rails	=2.3.3
rubyonrails Rails	=2.3.4
rubyonrails Rails	=2.3.9
rubyonrails Rails	=2.3.10
rubyonrails Rails	=2.3.11
rubyonrails Rails	=2.3.12
rubyonrails Rails	=3.0.0
rubyonrails Rails	=3.0.0-beta
rubyonrails Rails	=3.0.0-beta2
rubyonrails Rails	=3.0.0-beta3
rubyonrails Rails	=3.0.0-beta4
rubyonrails Rails	=3.0.0-rc
rubyonrails Rails	=3.0.0-rc2
rubyonrails Rails	=3.0.1
rubyonrails Rails	=3.0.1-pre
rubyonrails Rails	=3.0.2
rubyonrails Rails	=3.0.2-pre
rubyonrails Rails	=3.0.3
rubyonrails Rails	=3.0.4-rc1
rubyonrails Rails	=3.0.5
rubyonrails Rails	=3.0.5-rc1
rubyonrails Rails	=3.0.6
rubyonrails Rails	=3.0.6-rc1
rubyonrails Rails	=3.0.6-rc2
rubyonrails Rails	=3.0.7
rubyonrails Rails	=3.0.7-rc1
rubyonrails Rails	=3.0.7-rc2
rubyonrails Rails	=3.0.8
rubyonrails Rails	=3.0.8-rc1
rubyonrails Rails	=3.0.8-rc2
rubyonrails Rails	=3.0.8-rc3
rubyonrails Rails	=3.0.8-rc4
rubyonrails Rails	=3.0.9
rubyonrails Rails	=3.0.9-rc1
rubyonrails Rails	=3.0.9-rc2
rubyonrails Rails	=3.0.9-rc3
rubyonrails Rails	=3.0.9-rc4
rubyonrails Rails	=3.0.9-rc5
rubyonrails Rails	=3.0.10-rc1
rubyonrails Rails	=3.1.0
rubyonrails Rails	=3.1.0-beta1
rubyonrails Rails	=3.1.0-rc1
rubyonrails Rails	=3.1.0-rc2
rubyonrails Rails	=3.1.0-rc3
rubyonrails Rails	=3.1.0-rc4
Ruby on Rails	=3.0.4

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2011-2932?
CVE-2011-2932 has a medium severity level due to its potential for cross-site scripting exploitation.
How do I fix CVE-2011-2932?
To fix CVE-2011-2932, upgrade to activesupport versions 3.0.10 or 2.3.13 or later.
What applications are affected by CVE-2011-2932?
CVE-2011-2932 affects Ruby on Rails versions prior to 3.0.10 and 2.3.13.
Can CVE-2011-2932 lead to data breaches?
Yes, CVE-2011-2932 can allow attackers to execute malicious scripts, potentially leading to data breaches.
What kind of attack can CVE-2011-2932 facilitate?
CVE-2011-2932 can facilitate cross-site scripting (XSS) attacks against vulnerable applications.

collector/github-advisory-latest
alias/GHSA-9fh3-vh3h-q4g3
alias/CVE-2011-2932
collector/github-advisory
agent/author
agent/type
agent/first-publish-date
collector/mitre-cve
source/MITRE
collector/redhat-bugzilla
source/Red Hat
agent/software-canonical-lookup
agent/weakness
agent/last-modified-date
agent/severity
agent/references
agent/remedy
agent/description
agent/event
agent/trending
agent/source
agent/tags
agent/softwarecombine
collector/nvd-index
agent/software-canonical-lookup-request
collector/nvd-historical
collector/nvd-cve
package-manager/rubygems
package-manager/redhat
vendor/rubyonrails
canonical/rubyonrails rails
version/rubyonrails rails/2.0.0
version/rubyonrails rails/2.0.0-rc1
version/rubyonrails rails/2.0.0-rc2
version/rubyonrails rails/2.0.1
version/rubyonrails rails/2.0.2
version/rubyonrails rails/2.0.4
version/rubyonrails rails/2.1.0
version/rubyonrails rails/2.1.1
version/rubyonrails rails/2.1.2
version/rubyonrails rails/2.2.0
version/rubyonrails rails/2.2.1
version/rubyonrails rails/2.2.2
version/rubyonrails rails/2.3.2
version/rubyonrails rails/2.3.3
version/rubyonrails rails/2.3.4
version/rubyonrails rails/2.3.9
version/rubyonrails rails/2.3.10
version/rubyonrails rails/2.3.11
version/rubyonrails rails/2.3.12
version/rubyonrails rails/3.0.0
version/rubyonrails rails/3.0.0-beta
version/rubyonrails rails/3.0.0-beta2
version/rubyonrails rails/3.0.0-beta3
version/rubyonrails rails/3.0.0-beta4
version/rubyonrails rails/3.0.0-rc
version/rubyonrails rails/3.0.0-rc2
version/rubyonrails rails/3.0.1
version/rubyonrails rails/3.0.1-pre
version/rubyonrails rails/3.0.2
version/rubyonrails rails/3.0.2-pre
version/rubyonrails rails/3.0.3
version/rubyonrails rails/3.0.4-rc1
version/rubyonrails rails/3.0.5
version/rubyonrails rails/3.0.5-rc1
version/rubyonrails rails/3.0.6
version/rubyonrails rails/3.0.6-rc1
version/rubyonrails rails/3.0.6-rc2
version/rubyonrails rails/3.0.7
version/rubyonrails rails/3.0.7-rc1
version/rubyonrails rails/3.0.7-rc2
version/rubyonrails rails/3.0.8
version/rubyonrails rails/3.0.8-rc1
version/rubyonrails rails/3.0.8-rc2
version/rubyonrails rails/3.0.8-rc3
version/rubyonrails rails/3.0.8-rc4
version/rubyonrails rails/3.0.9
version/rubyonrails rails/3.0.9-rc1
version/rubyonrails rails/3.0.9-rc2
version/rubyonrails rails/3.0.9-rc3
version/rubyonrails rails/3.0.9-rc4
version/rubyonrails rails/3.0.9-rc5
version/rubyonrails rails/3.0.10-rc1
version/rubyonrails rails/3.1.0
version/rubyonrails rails/3.1.0-beta1
version/rubyonrails rails/3.1.0-rc1
version/rubyonrails rails/3.1.0-rc2
version/rubyonrails rails/3.1.0-rc3
version/rubyonrails rails/3.1.0-rc4
canonical/ruby on rails
version/ruby on rails/3.0.4

CVE-2011-2932: XSS

Remedy

Remedy

Remedy

Remedy

Remedy

Remedy

Remedy

Remedy

Remedy

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2011-2932?

How do I fix CVE-2011-2932?

What applications are affected by CVE-2011-2932?

Can CVE-2011-2932 lead to data breaches?

What kind of attack can CVE-2011-2932 facilitate?

Company

Resources

Contact

Frequently Asked Questions

What is the severity of CVE-2011-2932?

How do I fix CVE-2011-2932?

What applications are affected by CVE-2011-2932?

Can CVE-2011-2932 lead to data breaches?

What kind of attack can CVE-2011-2932 facilitate?