CVE-2012-3465 — actionpack Cross-site Scripting vulnerability

Description

Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/sanitize_helper.rb in the strip_tags helper in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via malformed HTML markup.

How to fix CVE-2012-3465

To remediate CVE-2012-3465, upgrade the affected package to a fixed version below.

Debian/rails—upgrade to 2.3.14.1 or later
RubyGems/actionpack—upgrade to 3.0.17 or later

Is CVE-2012-3465 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2.3.14.1
>= 3.0.0.beta, < 3.0.17

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2012-3465
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2012-3465
PATCHgithub.com/rails/rails
WEBrhn.redhat.com/errata/RHSA-2013-0154.html
WEB