CVE-2011-2932: activesupport Cross-site Scripting vulnerability
4.3
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.73282%
CWE
Published
10/24/2017
Updated
11/10/2023
KEV Status
No
Technology
Ruby
Technical Details
CVSS Vector
AV:N/AC:M/Au:N/C:N/I:P/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
activesupport | rubygems | >= 2.0.0, < 2.3.13 | 2.3.13 |
activesupport | rubygems | >= 3.0.0, < 3.0.10 | 3.0.10 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the html_escape method in output_safety.rb, as shown in the commit diff. The original code used s.gsub(/[&"><]/) which had two critical issues: 1) The regex pattern [&"><] could fail to match certain malformed UTF-8 byte sequences due to Ruby 1.8's regex handling, and 2) The pattern didn't account for all HTML-special characters in the correct order (e.g., & needed to be escaped first). The patch explicitly chains gsub calls with specific replacements and adds s.to_s to handle non-string inputs, demonstrating the vulnerability was in this specific function.