Miggo Logo
Miggo Vulnerability Database
CVE-2011-1497

CVE-2011-1497:
Cross site scripting in actionpack Rubygem

6.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2011-1497
GHSA ID
GHSA-q58j-fmvf-9rq6
EPSS Score
0.55098%
CWE
CWE-79
Published
4/22/2022
Updated
1/20/2025
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
actionpackrubygems>= 3.0.0.rc, < 3.0.63.0.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The GitHub patch (61ee344) explicitly removes .html_safe calls from auto_link's return values and blank text handling. The CVE description and advisory explicitly name auto_link as the vulnerable function. The commit message states the root cause: returning HTML-safe strings enabled XSS when unsanitized input was passed to auto_link. Test cases in text_helper_test.rb were updated to verify the removal of HTML-safe marking.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *ross-sit* s*riptin* vuln*r**ility *l*w w*s *oun* in t** `*uto_link` *un*tion in R*ils ***or* v*rsion *.*.*.

Reasoning

T** *it*u* p*t** (*******) *xpli*itly r*mov*s .*tml_s*** **lls *rom *uto_link's r*turn v*lu*s *n* *l*nk t*xt **n*lin*. T** *V* **s*ription *n* **visory *xpli*itly n*m* *uto_link *s t** vuln*r**l* *un*tion. T** *ommit m*ss*** st*t*s t** root **us*: r*