CVE-2009-3009.yml

---
gem: activesupport
framework: rails
cve: 2009-3009
osvdb: 57666
ghsa: 8qrh-h9m2-5fvf
url: http://weblog.rubyonrails.org/2009/9/4/xss-vulnerability-in-ruby-on-rails
title: Moderate severity XSS vulnerability that affects rails
date: 2017-10-24
description: |
  Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before
  2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary
  web script or HTML by placing malformed Unicode strings into a form helper.

  9/4/2009 url mentions patches for 2.0, 2.1, 2.2, and 2.3 series.
unaffected_versions:
  - "< 2.0.0"
patched_versions:
  - "~> 2.2.3"
  - ">= 2.3.4"
related:
  url:
    - https://nvd.nist.gov/vuln/detail/CVE-2009-3009
    - http://weblog.rubyonrails.org/2009/9/4/xss-vulnerability-in-ruby-on-rails
    - https://groups.google.com/g/rubyonrails-security/c/SKs_SiwWGQ8/m/tNHhlHfNV38J
    - http://www.osvdb.org/57666
    - https://exchange.xforce.ibmcloud.com/vulnerabilities/53036
    - https://github.com/advisories/GHSA-8qrh-h9m2-5fvf
    - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545063
    - https://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
    - http://support.apple.com/kb/HT4077
    - https://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html
    - http://www.debian.org/security/2009/dsa-1887