Vulnerability Name: | CVE-2007-3227 (CCN-34877) | ||||||||
Assigned: | 2007-05-15 | ||||||||
Published: | 2007-05-15 | ||||||||
Updated: | 2019-08-08 | ||||||||
Summary: | Cross-site scripting (XSS) vulnerability in the to_json (ActiveRecord::Base#to_json) function in Ruby on Rails before edge 9606 allows remote attackers to inject arbitrary web script via the input values. | ||||||||
CVSS v3 Severity: | 4.8 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
| ||||||||
CVSS v2 Severity: | 4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N) 3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
3.5 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:N/E:H/RL:OF/RC:C)
| ||||||||
Vulnerability Type: | CWE-79 | ||||||||
Vulnerability Consequences: | Gain Access | ||||||||
References: | Source: CONFIRM Type: UNKNOWN http://bugs.gentoo.org/show_bug.cgi?id=195315 Source: MITRE Type: CNA CVE-2007-3227 Source: CCN Type: Changeset 6893 Rails Trac Source: CCN Type: Changeset 6894 Rails Trac Source: CCN Type: Ruby on Rails Web site: Ticket #8371 to_json cross site scripting security issue (XSS) Source: CONFIRM Type: UNKNOWN http://dev.rubyonrails.org/ticket/8371 Source: OSVDB Type: UNKNOWN 36378 Source: CONFIRM Type: UNKNOWN http://pastie.caboo.se/65550.txt Source: CCN Type: SA25699 Ruby on Rails "to_json" Cross-Site Scripting Vulnerability Source: SECUNIA Type: Vendor Advisory 25699 Source: SECUNIA Type: Vendor Advisory 27657 Source: SECUNIA Type: Vendor Advisory 27756 Source: GENTOO Type: UNKNOWN GLSA-200711-17 Source: CONFIRM Type: UNKNOWN http://weblog.rubyonrails.org/2007/10/12/rails-1-2-5-maintenance-release Source: CONFIRM Type: UNKNOWN http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release Source: CCN Type: GLSA-200711-17 Ruby on Rails: Multiple vulnerabilities Source: SUSE Type: UNKNOWN SUSE-SR:2007:024 Source: CCN Type: OSVDB ID: 36378 Ruby on Rails to_json input Value XSS Source: BID Type: Exploit 24161 Source: CCN Type: BID-24161 Ruby on Rails To_JSON Script Injection Vulnerability Source: VUPEN Type: Vendor Advisory ADV-2007-2216 Source: XF Type: UNKNOWN rubyonrails-tojson-xss(34877) Source: SUSE Type: SUSE-SR:2007:024 SUSE Security Summary Report | ||||||||
Vulnerable Configuration: | Configuration 1:![]() | ||||||||
Oval Definitions | |||||||||
| |||||||||
BACK |