CVE-2012-3465 (Medium) detected in actionpack-3.0.9.gem
mend-bolt-for-github opened this issue · comments
CVE-2012-3465 - Medium Severity Vulnerability
Vulnerable Library - actionpack-3.0.9.gem
Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.
Library home page: https://rubygems.org/gems/actionpack-3.0.9.gem
Dependency Hierarchy:
- rails-3.0.9.gem (Root Library)
- railties-3.0.9.gem
- ❌ actionpack-3.0.9.gem (Vulnerable Library)
- railties-3.0.9.gem
Found in HEAD commit: 0c785fd9400921392b8ee5e3e166f30364359ecc
Found in base branch: master
Vulnerability Details
Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/sanitize_helper.rb in the strip_tags helper in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via malformed HTML markup.
Publish Date: 2012-08-10
URL: CVE-2012-3465
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: N/A
- Attack Complexity: N/A
- Privileges Required: N/A
- User Interaction: N/A
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-3465
Release Date: 2012-08-10
Fix Resolution: 3.0.17,3.1.8,3.2.8
Step up your Open Source Security Game with WhiteSource here