Vulnerability Details CVE-2007-3227
Cross-site scripting (XSS) vulnerability in the to_json (ActiveRecord::Base#to_json) function in Ruby on Rails before edge 9606 allows remote attackers to inject arbitrary web script via the input values.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.151
EPSS Ranking 94.3%
CVSS Severity
CVSS v2 Score 4.3
References
- http://bugs.gentoo.org/show_bug.cgi?id=195315
- http://dev.rubyonrails.org/ticket/8371
- http://osvdb.org/36378
- http://pastie.caboo.se/65550.txt
- http://secunia.com/advisories/25699
- http://secunia.com/advisories/27657
- http://secunia.com/advisories/27756
- http://security.gentoo.org/glsa/glsa-200711-17.xml
- http://weblog.rubyonrails.org/2007/10/12/rails-1-2-5-maintenance-release
- http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release
- http://www.novell.com/linux/security/advisories/2007_24_sr.html
- http://www.securityfocus.com/bid/24161
- http://www.vupen.com/english/advisories/2007/2216
- http://bugs.gentoo.org/show_bug.cgi?id=195315
- http://dev.rubyonrails.org/ticket/8371
- http://osvdb.org/36378
- http://pastie.caboo.se/65550.txt
- http://secunia.com/advisories/25699
- http://secunia.com/advisories/27657
- http://secunia.com/advisories/27756
- http://security.gentoo.org/glsa/glsa-200711-17.xml
- http://weblog.rubyonrails.org/2007/10/12/rails-1-2-5-maintenance-release
- http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release
- http://www.novell.com/linux/security/advisories/2007_24_sr.html
- http://www.securityfocus.com/bid/24161
- http://www.vupen.com/english/advisories/2007/2216
Products affected by CVE-2007-3227
-
cpe:2.3:a:rubyonrails:rails:1.1.5