CVE-2012-1099: XSS via posted select tag options

March 13, 2012 (updated August 8, 2019)

Ruby on Rails is vulnerable to remote cross-site scripting because the application does not validate manually generated select tag options upon submission to actionpack/lib/action_view/helpers/form_options_helper.rb. This may allow a user to create a specially crafted request that would execute arbitrary script code in a user’s browser within the trust relationship between their browser and the server.

References

github.com/rails/rails/commit/9435f5a479317458c558ae743b7d876dd5a5db20
github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/OSVDB-79727.yml

Detect and mitigate CVE-2012-1099 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →