Date: Mon, 7 Dec 2009 21:16:11 -0500 (EST) From: "Steven M. Christey" <coley@...us.mitre.org> To: oss-security@...ts.openwall.com Subject: Re: CVE request: ruby on rails XSS Weakness in strip_tags On Mon, 7 Dec 2009, Josh Bressers wrote: > I'm sorry for the delay on this. > > Please use CVE-2009-4132 Josh, MITRE assigned CVE-2009-4214 earlier today. Please verify these are duplicates, and if so, we will stick with CVE-2009-4214. - Steve ====================================================== Name: CVE-2009-4214 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4214 Reference: MLIST:[oss-security] 20091127 CVE request: ruby on rails XSS Weakness in strip_tags Reference: URL:http://www.openwall.com/lists/oss-security/2009/11/27/2 Reference: MLIST:[rubyonrails-security] 20091127 XSS Weakness in strip_tags Reference: URL:http://groups.google.com/group/rubyonrails-security/browse_thread/thread/4d4f71f2aef4c0ab?pli=1 Reference: CONFIRM:http://github.com/rails/rails/commit/bfe032858077bb2946abe25e95e485ba6da86bd5 Reference: CONFIRM:http://weblog.rubyonrails.org/2009/11/30/ruby-on-rails-2-3-5-released Reference: BID:37142 Reference: URL:http://www.securityfocus.com/bid/37142 Reference: SECTRACK:1023245 Reference: URL:http://www.securitytracker.com/id?1023245 Reference: SECUNIA:37446 Reference: URL:http://secunia.com/advisories/37446 Reference: VUPEN:ADV-2009-3352 Reference: URL:http://www.vupen.com/english/advisories/2009/3352 Cross-site scripting (XSS) vulnerability in the strip_tags function in Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote attackers to inject arbitrary web script or HTML via vectors involving non-printing ASCII characters, related to HTML::Tokenizer and actionpack/lib/action_controller/vendor/html-scanner/html/node.rb.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ