CVE-2012-3464: Potential XSS Vulnerability in Ruby on Rails

August 10, 2012 (updated August 8, 2019)

The HTML escaping code in Ruby on Rails does not escape all potentially dangerous characters. In particular the code does not escape the single quote character. The helpers used in Rails itself never use single quotes, so most applications are unlikely to be vulnerable, however all users running an affected release should still upgrade.

References

groups.google.com/forum/?fromgroups=

Detect and mitigate CVE-2012-3464 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →