CVE-2012-3463
Severity CVSS v4.0:
Pending analysis
Type:
CWE-79
Cross-Site Scripting (XSS)
Publication date:
10/08/2012
Last modified:
11/04/2025
Description
Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_tag_helper.rb in Ruby on Rails 3.x before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via the prompt field to the select_tag helper.
Impact
Base Score 2.0
4.30
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:* | ||
| cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:* | ||
| cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:* | ||
| cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:* | ||
| cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:* | ||
| cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:* | ||
| cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:* | ||
| cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:* | ||
| cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:* | ||
| cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:* | ||
| cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:* | ||
| cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:* | ||
| cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://rhn.redhat.com/errata/RHSA-2013-0154.html
- http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released/
- https://groups.google.com/group/rubyonrails-security/msg/961e18e514527078?dmode=source&output=gplain
- http://rhn.redhat.com/errata/RHSA-2013-0154.html
- http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released/
- https://groups.google.com/group/rubyonrails-security/msg/961e18e514527078?dmode=source&output=gplain