CVE-2012-1098: Direct Manipulation XSS

March 13, 2012 (updated August 8, 2019)

Ruby on Rails contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate direct manipulations of SafeBuffer objects via '[]' and other methods. This may allow a user to create a specially crafted request that would execute arbitrary script code in a user’s browser within the trust relationship between their browser and the server.

References

github.com/rails/rails/commit/c60c1c0812d5eb55e7024db350f8bc5b6729f7fe
github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/OSVDB-79726.yml

Code Behaviors & Features

Detect and mitigate CVE-2012-1098 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →