gsd - gsd-2009-3009

gsd-2009-3009

Vulnerability from gsd

Modified

2023-12-13 01:19

Details

Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings into a form helper.

Aliases

CVE-2009-3009

Aliases

CVE-2009-3009

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2009-3009",
    "description": "Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings into a form helper.",
    "id": "GSD-2009-3009",
    "references": [
      "https://www.suse.com/security/cve/CVE-2009-3009.html",
      "https://www.debian.org/security/2009/dsa-1887"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2009-3009"
      ],
      "details": "Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings into a form helper.",
      "id": "GSD-2009-3009",
      "modified": "2023-12-13T01:19:49.133879Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2009-3009",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings into a form helper."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "36278",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/36278"
          },
          {
            "name": "http://weblog.rubyonrails.org/2009/9/4/xss-vulnerability-in-ruby-on-rails",
            "refsource": "CONFIRM",
            "url": "http://weblog.rubyonrails.org/2009/9/4/xss-vulnerability-in-ruby-on-rails"
          },
          {
            "name": "36600",
            "refsource": "SECUNIA",
            "url": "http://secunia.com/advisories/36600"
          },
          {
            "name": "APPLE-SA-2010-03-29-1",
            "refsource": "APPLE",
            "url": "http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html"
          },
          {
            "name": "ADV-2009-2544",
            "refsource": "VUPEN",
            "url": "http://www.vupen.com/english/advisories/2009/2544"
          },
          {
            "name": "rubyonrails-unicode-xss(53036)",
            "refsource": "XF",
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53036"
          },
          {
            "name": "http://support.apple.com/kb/HT4077",
            "refsource": "CONFIRM",
            "url": "http://support.apple.com/kb/HT4077"
          },
          {
            "name": "DSA-1887",
            "refsource": "DEBIAN",
            "url": "http://www.debian.org/security/2009/dsa-1887"
          },
          {
            "name": "[rubyonrails-security] 20090904 XSS Vulnerability in Ruby on Rails",
            "refsource": "MLIST",
            "url": "http://groups.google.com/group/rubyonrails-security/msg/7f57cd7794e1d1b4?dmode=source"
          },
          {
            "name": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545063",
            "refsource": "CONFIRM",
            "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545063"
          },
          {
            "name": "57666",
            "refsource": "OSVDB",
            "url": "http://www.osvdb.org/57666"
          },
          {
            "name": "1022824",
            "refsource": "SECTRACK",
            "url": "http://securitytracker.com/id?1022824"
          },
          {
            "name": "36717",
            "refsource": "SECUNIA",
            "url": "http://secunia.com/advisories/36717"
          },
          {
            "name": "SUSE-SR:2009:017",
            "refsource": "SUSE",
            "url": "http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=2.0.0 \u003c2.2.3||\u003e=2.3.0 \u003c2.3.4",
          "affected_versions": "All versions starting from 2.0.0 before 2.2.3, all versions starting from 2.3.0 before 2.3.4",
          "cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-79",
            "CWE-79",
            "CWE-937"
          ],
          "date": "2023-06-19",
          "description": "Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings into a form helper.",
          "fixed_versions": [
            "2.2.3",
            "2.3.4"
          ],
          "identifier": "CVE-2009-3009",
          "identifiers": [
            "GHSA-8qrh-h9m2-5fvf",
            "CVE-2009-3009"
          ],
          "not_impacted": "All versions before 2.0.0, all versions starting from 2.2.3 before 2.3.0, all versions starting from 2.3.4",
          "package_slug": "gem/actionpack",
          "pubdate": "2017-10-24",
          "solution": "Upgrade to versions 2.2.3, 2.3.4 or above.",
          "title": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2009-3009",
            "https://exchange.xforce.ibmcloud.com/vulnerabilities/53036",
            "https://github.com/advisories/GHSA-8qrh-h9m2-5fvf",
            "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545063",
            "http://groups.google.com/group/rubyonrails-security/msg/7f57cd7794e1d1b4?dmode=source",
            "http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html",
            "http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html",
            "http://secunia.com/advisories/36600",
            "http://secunia.com/advisories/36717",
            "http://securitytracker.com/id?1022824",
            "http://support.apple.com/kb/HT4077",
            "http://weblog.rubyonrails.org/2009/9/4/xss-vulnerability-in-ruby-on-rails",
            "http://www.debian.org/security/2009/dsa-1887",
            "http://www.osvdb.org/57666",
            "http://www.securityfocus.com/bid/36278",
            "http://www.vupen.com/english/advisories/2009/2544",
            "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2009-3009.yml"
          ],
          "uuid": "e15ff68a-fde4-42a2-8fd3-12f49e5017e3"
        },
        {
          "affected_range": "\u003e=2.0.0 \u003c2.2.3||\u003e=2.3.0 \u003c2.3.4",
          "affected_versions": "All versions starting from 2.0.0 before 2.2.3, all versions starting from 2.3.0 before 2.3.4",
          "cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-79",
            "CWE-79",
            "CWE-937"
          ],
          "date": "2023-06-19",
          "description": "Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings into a form helper.",
          "fixed_versions": [
            "2.2.3",
            "2.3.4"
          ],
          "identifier": "CVE-2009-3009",
          "identifiers": [
            "GHSA-8qrh-h9m2-5fvf",
            "CVE-2009-3009"
          ],
          "not_impacted": "All versions before 2.0.0, all versions starting from 2.2.3 before 2.3.0, all versions starting from 2.3.4",
          "package_slug": "gem/activesupport",
          "pubdate": "2017-10-24",
          "solution": "Upgrade to versions 2.2.3, 2.3.4 or above.",
          "title": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2009-3009",
            "https://exchange.xforce.ibmcloud.com/vulnerabilities/53036",
            "https://github.com/advisories/GHSA-8qrh-h9m2-5fvf",
            "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545063",
            "http://groups.google.com/group/rubyonrails-security/msg/7f57cd7794e1d1b4?dmode=source",
            "http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html",
            "http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html",
            "http://secunia.com/advisories/36600",
            "http://secunia.com/advisories/36717",
            "http://securitytracker.com/id?1022824",
            "http://support.apple.com/kb/HT4077",
            "http://weblog.rubyonrails.org/2009/9/4/xss-vulnerability-in-ruby-on-rails",
            "http://www.debian.org/security/2009/dsa-1887",
            "http://www.osvdb.org/57666",
            "http://www.securityfocus.com/bid/36278",
            "http://www.vupen.com/english/advisories/2009/2544",
            "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2009-3009.yml"
          ],
          "uuid": "f81a6186-cfea-47b8-9df0-3b50d75a4f11"
        },
        {
          "affected_range": "\u003e=2.0.0 \u003c2.2.3||\u003e=2.3.0 \u003c2.3.4",
          "affected_versions": "All versions starting from 2.0.0 before 2.2.3, all versions starting from 2.3.0 before 2.3.4",
          "cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-79",
            "CWE-79",
            "CWE-937"
          ],
          "date": "2021-09-07",
          "description": "Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings into a form helper.",
          "fixed_versions": [
            "2.2.3",
            "2.3.4"
          ],
          "identifier": "CVE-2009-3009",
          "identifiers": [
            "GHSA-8qrh-h9m2-5fvf",
            "CVE-2009-3009"
          ],
          "not_impacted": "All versions before 2.0.0, all versions starting from 2.2.3 before 2.3.0, all versions starting from 2.3.4",
          "package_slug": "gem/rails",
          "pubdate": "2017-10-24",
          "solution": "Upgrade to versions 2.2.3, 2.3.4 or above.",
          "title": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2009-3009",
            "https://exchange.xforce.ibmcloud.com/vulnerabilities/53036",
            "https://github.com/advisories/GHSA-8qrh-h9m2-5fvf",
            "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545063",
            "http://groups.google.com/group/rubyonrails-security/msg/7f57cd7794e1d1b4?dmode=source",
            "http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html",
            "http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html",
            "http://secunia.com/advisories/36600",
            "http://secunia.com/advisories/36717",
            "http://securitytracker.com/id?1022824",
            "http://support.apple.com/kb/HT4077",
            "http://weblog.rubyonrails.org/2009/9/4/xss-vulnerability-in-ruby-on-rails",
            "http://www.debian.org/security/2009/dsa-1887",
            "http://www.osvdb.org/57666",
            "http://www.securityfocus.com/bid/36278",
            "http://www.vupen.com/english/advisories/2009/2544"
          ],
          "uuid": "5b4777d4-86e3-4f83-b095-7880f36350d7"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.0.0:rc2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.0.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.2.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.2.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.0.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.0.0:rc1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.2.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.0.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.0.4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.1.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.1.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.1.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2009-3009"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings into a form helper."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "57666",
              "refsource": "OSVDB",
              "tags": [],
              "url": "http://www.osvdb.org/57666"
            },
            {
              "name": "ADV-2009-2544",
              "refsource": "VUPEN",
              "tags": [
                "Patch",
                "Vendor Advisory"
              ],
              "url": "http://www.vupen.com/english/advisories/2009/2544"
            },
            {
              "name": "36600",
              "refsource": "SECUNIA",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://secunia.com/advisories/36600"
            },
            {
              "name": "[rubyonrails-security] 20090904 XSS Vulnerability in Ruby on Rails",
              "refsource": "MLIST",
              "tags": [
                "Patch"
              ],
              "url": "http://groups.google.com/group/rubyonrails-security/msg/7f57cd7794e1d1b4?dmode=source"
            },
            {
              "name": "36278",
              "refsource": "BID",
              "tags": [],
              "url": "http://www.securityfocus.com/bid/36278"
            },
            {
              "name": "http://weblog.rubyonrails.org/2009/9/4/xss-vulnerability-in-ruby-on-rails",
              "refsource": "CONFIRM",
              "tags": [],
              "url": "http://weblog.rubyonrails.org/2009/9/4/xss-vulnerability-in-ruby-on-rails"
            },
            {
              "name": "1022824",
              "refsource": "SECTRACK",
              "tags": [
                "Patch"
              ],
              "url": "http://securitytracker.com/id?1022824"
            },
            {
              "name": "36717",
              "refsource": "SECUNIA",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://secunia.com/advisories/36717"
            },
            {
              "name": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545063",
              "refsource": "CONFIRM",
              "tags": [],
              "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545063"
            },
            {
              "name": "DSA-1887",
              "refsource": "DEBIAN",
              "tags": [],
              "url": "http://www.debian.org/security/2009/dsa-1887"
            },
            {
              "name": "SUSE-SR:2009:017",
              "refsource": "SUSE",
              "tags": [],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html"
            },
            {
              "name": "http://support.apple.com/kb/HT4077",
              "refsource": "CONFIRM",
              "tags": [],
              "url": "http://support.apple.com/kb/HT4077"
            },
            {
              "name": "APPLE-SA-2010-03-29-1",
              "refsource": "APPLE",
              "tags": [],
              "url": "http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html"
            },
            {
              "name": "rubyonrails-unicode-xss(53036)",
              "refsource": "XF",
              "tags": [],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53036"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        }
      },
      "lastModifiedDate": "2019-08-08T14:43Z",
      "publishedDate": "2009-09-08T18:30Z"
    }
  }
}

CVE-2009-3009 (GCVE-0-2009-3009)

Vulnerability from cvelistv5

Published

2009-09-08 18:00

Modified

2024-08-07 06:14

Severity ?

CWE

Summary

References

►

URL

Tags

	http://www.securityfocus.com/bid/36278	vdb-entry, x_refsource_BID
	http://weblog.rubyonrails.org/2009/9/4/xss-vulnerability-in-ruby-on-rails	x_refsource_CONFIRM
	http://secunia.com/advisories/36600	third-party-advisory, x_refsource_SECUNIA
	http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html	vendor-advisory, x_refsource_APPLE
	http://www.vupen.com/english/advisories/2009/2544	vdb-entry, x_refsource_VUPEN
	https://exchange.xforce.ibmcloud.com/vulnerabilities/53036	vdb-entry, x_refsource_XF
	http://support.apple.com/kb/HT4077	x_refsource_CONFIRM
	http://www.debian.org/security/2009/dsa-1887	vendor-advisory, x_refsource_DEBIAN
	http://groups.google.com/group/rubyonrails-security/msg/7f57cd7794e1d1b4?dmode=source	mailing-list, x_refsource_MLIST
	http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545063	x_refsource_CONFIRM
	http://www.osvdb.org/57666	vdb-entry, x_refsource_OSVDB
	http://securitytracker.com/id?1022824	vdb-entry, x_refsource_SECTRACK
	http://secunia.com/advisories/36717	third-party-advisory, x_refsource_SECUNIA
	http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html	vendor-advisory, x_refsource_SUSE

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website