GHSA-75w6-p6mg-vh8j, CVE-2011-0446
gem/actionpack
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Multiple cross-site scripting (XSS) vulnerabilities in the mail_to helper in Ruby on Rails before 2.3.11, and 3.x before 3.0.4, when javascript encoding is used, allow remote attackers to inject arbitrary web script or HTML via a crafted (1) name or (2) email value.
All versions before 2.3.11, all versions starting from 3.0.0 before 3.0.4
Upgrade to versions 2.3.11, 3.0.4 or above.
2023-05-29
source |