Miggo Logo

CVE-2011-2932: activesupport Cross-site Scripting vulnerability

4.3

CVSS Score

Basic Information

EPSS Score
0.73282%
Published
10/24/2017
Updated
11/10/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
AV:N/AC:M/Au:N/C:N/I:P/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
activesupportrubygems>= 2.0.0, < 2.3.132.3.13
activesupportrubygems>= 3.0.0, < 3.0.103.0.10

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the html_escape method in output_safety.rb, as shown in the commit diff. The original code used s.gsub(/[&"><]/) which had two critical issues: 1) The regex pattern [&"><] could fail to match certain malformed UTF-8 byte sequences due to Ruby 1.8's regex handling, and 2) The pattern didn't account for all HTML-special characters in the correct order (e.g., & needed to be escaped first). The patch explicitly chains gsub calls with specific replacements and adds s.to_s to handle non-string inputs, demonstrating the vulnerability was in this specific function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross-sit* s*riptin* (XSS) vuln*r**ility in `**tiv*support/li*/**tiv*_support/*or*_*xt/strin*/output_s***ty.r`* in Ru*y on R*ils *.x ***or* *.*.**, *.*.x ***or* *.*.**, *n* *.*.x ***or* *.*.*.r** *llows r*mot* *tt**k*rs to inj**t *r*itr*ry w** s*ript

Reasoning

T** vuln*r**ility st*ms *rom t** *tml_*s**p* m*t*o* in output_s***ty.r*, *s s*own in t** *ommit *i**. T** ori*in*l *o** us** s.*su*(/[&"\>\<]/) w*i** *** two *riti**l issu*s: *) T** r***x p*tt*rn [&"\>\<] *oul* **il to m*t** **rt*in m*l*orm** UT*-* *