4.3

CVSS Score

Basic Information

CVE ID

CVE-2011-2932

GHSA ID

GHSA-9fh3-vh3h-q4g3

EPSS Score

0.73282%

CWE

CWE-79

Published

10/24/2017

Updated

11/10/2023

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2011-2932

CVE-2011-2932: activesupport Cross-site Scripting vulnerability

Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails 2.x before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a malformed Unicode string, related to a "UTF-8 escaping vulnerability."

(GitHub Advisory)

4.3

CVSS Score

Basic Information

CVE ID

CVE-2011-2932

GHSA ID

GHSA-9fh3-vh3h-q4g3

EPSS Score

0.73282%

CWE

CWE-79

Published

10/24/2017

Updated

11/10/2023

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
activesupport	rubygems	>= 2.0.0, < 2.3.13	2.3.13
activesupport	rubygems	>= 3.0.0, < 3.0.10	3.0.10

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the html_escape method in output_safety.rb, as shown in the commit diff. The original code used s.gsub(/[&"><]/) which had two critical issues: 1) The regex pattern [&"><] could fail to match certain malformed UTF-8 byte sequences due to Ruby 1.8's regex handling, and 2) The pattern didn't account for all HTML-special characters in the correct order (e.g., & needed to be escaped first). The patch explicitly chains gsub calls with specific replacements and adds s.to_s to handle non-string inputs, demonstrating the vulnerability was in this specific function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross-sit* s*riptin* (XSS) vuln*r**ility in `**tiv*support/li*/**tiv*_support/*or*_*xt/strin*/output_s***ty.r`* in Ru*y on R*ils *.x ***or* *.*.**, *.*.x ***or* *.*.**, *n* *.*.x ***or* *.*.*.r** *llows r*mot* *tt**k*rs to inj**t *r*itr*ry w** s*ript

Reasoning

T** vuln*r**ility st*ms *rom t** *tml_*s**p* m*t*o* in output_s***ty.r*, *s s*own in t** *ommit *i**. T** ori*in*l *o** us** s.*su*(/[&"\>\<]/) w*i** *** two *riti**l issu*s: *) T** r***x p*tt*rn [&"\>\<] *oul* **il to m*t** **rt*in m*l*orm** UT*-* *

4.3

Basic Information

Concerned about an active attack path?

CVE-2011-2932: activesupport Cross-site Scripting vulnerability

4.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI