Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 7 Dec 2009 21:16:11 -0500 (EST)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: ruby on rails XSS Weakness in
 strip_tags


On Mon, 7 Dec 2009, Josh Bressers wrote:

> I'm sorry for the delay on this.
>
> Please use CVE-2009-4132

Josh, MITRE assigned CVE-2009-4214 earlier today.  Please verify these are 
duplicates, and if so, we will stick with CVE-2009-4214.

- Steve


======================================================
Name: CVE-2009-4214
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4214
Reference: MLIST:[oss-security] 20091127 CVE request: ruby on rails XSS Weakness in strip_tags
Reference: URL:http://www.openwall.com/lists/oss-security/2009/11/27/2
Reference: MLIST:[rubyonrails-security] 20091127 XSS Weakness in strip_tags
Reference: URL:http://groups.google.com/group/rubyonrails-security/browse_thread/thread/4d4f71f2aef4c0ab?pli=1
Reference: CONFIRM:http://github.com/rails/rails/commit/bfe032858077bb2946abe25e95e485ba6da86bd5
Reference: CONFIRM:http://weblog.rubyonrails.org/2009/11/30/ruby-on-rails-2-3-5-released
Reference: BID:37142
Reference: URL:http://www.securityfocus.com/bid/37142
Reference: SECTRACK:1023245
Reference: URL:http://www.securitytracker.com/id?1023245
Reference: SECUNIA:37446
Reference: URL:http://secunia.com/advisories/37446
Reference: VUPEN:ADV-2009-3352
Reference: URL:http://www.vupen.com/english/advisories/2009/3352

Cross-site scripting (XSS) vulnerability in the strip_tags function in
Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote
attackers to inject arbitrary web script or HTML via vectors involving
non-printing ASCII characters, related to HTML::Tokenizer and
actionpack/lib/action_controller/vendor/html-scanner/html/node.rb.


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ