VIR Vulnerability Intelligence Relay

CVE-2012-3465

medium
Published 2012-08-09 · Modified 2025-01-21
CVSS v3
CVSS v2
4.3
VIR risk
4.3

Description

Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/sanitize_helper.rb in the strip_tags helper in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via malformed HTML markup.

Predictions

Exploit likelihood
20%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2012-3465

vendor Authored 2026-05-27

Vendor advisory: secalert@redhat.com — http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released/

OS impact
OSVersionStatusFixed in
debian debianbookwormfixed2.3.14.1
debian debianbullseyefixed2.3.14.1
debian debianforkyfixed2.3.14.1
debian debiansidfixed2.3.14.1
debian debiantrixiefixed2.3.14.1

Package impact
EcosystemPackageVulnerableFixed
ruby RubyGemsactionpack<~> 3.0.17~> 3.0.17
ruby RubyGemsactionpack>=3.0.0.beta,<3.0.173.0.17
ruby RubyGemsactionpack>=3.1.0,<3.1.83.1.8
ruby RubyGemsactionpack>=3.2.0,<3.2.83.2.8
ruby RubyGemsactionpack<2.3.162.3.16

Application impact
VendorProductVersionsFixed
rubyonrailsrails0.9.1
rubyonrailsrails0.9.2
rubyonrailsrails0.9.3
rubyonrailsrails0.9.4
rubyonrailsrails0.9.4.1
rubyonrailsrails0.10.0
rubyonrailsrails0.10.1
rubyonrailsrails0.11.0
rubyonrailsrails0.11.1
rubyonrailsrails0.12.0
rubyonrailsrails0.12.1
rubyonrailsrails0.13.0
rubyonrailsrails0.13.1
rubyonrailsrails0.14.1
rubyonrailsrails0.14.2
rubyonrailsrails0.14.3
rubyonrailsrails0.14.4
rubyonrailsrails1.0.0
rubyonrailsrails1.1.0
rubyonrailsrails1.1.1
rubyonrailsrails1.1.2
rubyonrailsrails1.1.3
rubyonrailsrails1.1.4
rubyonrailsrails1.1.5
rubyonrailsrails1.1.6
rubyonrailsrails1.2.0
rubyonrailsrails1.2.1
rubyonrailsrails1.2.2
rubyonrailsrails1.2.3
rubyonrailsrails1.2.4
rubyonrailsrails1.2.5
rubyonrailsrails1.2.6
rubyonrailsrails1.9.5
rubyonrailsrails2.0.0
rubyonrailsrails2.0.1
rubyonrailsrails2.0.2
rubyonrailsrails2.0.4
rubyonrailsrails2.1.0
rubyonrailsrails2.1.1
rubyonrailsrails2.1.2
rubyonrailsrails2.2.0
rubyonrailsrails2.2.1
rubyonrailsrails2.2.2
rubyonrailsrails2.3.2
rubyonrailsrails2.3.3
rubyonrailsrails2.3.4
rubyonrailsrails2.3.9
rubyonrailsrails2.3.10
rubyonrailsrails2.3.11
rubyonrailsrails2.3.12
rubyonrailsrails3.0.0
rubyonrailsrails3.0.1
rubyonrailsrails3.0.2
rubyonrailsrails3.0.3
rubyonrailsrails3.0.4
rubyonrailsrails3.0.5
rubyonrailsrails3.0.6
rubyonrailsrails3.0.7
rubyonrailsrails3.0.8
rubyonrailsrails3.0.9
rubyonrailsrails3.0.10
rubyonrailsrails3.0.11
rubyonrailsrails3.0.12
rubyonrailsrails3.0.13
rubyonrailsrails3.0.14
rubyonrailsruby_on_rails{"endIncluding":"3.0.16"}
rubyonrailsruby_on_rails0.5.0
rubyonrailsruby_on_rails0.5.5
rubyonrailsruby_on_rails0.5.6
rubyonrailsruby_on_rails0.5.7
rubyonrailsruby_on_rails0.6.0
rubyonrailsruby_on_rails0.6.5
rubyonrailsruby_on_rails0.7.0
rubyonrailsruby_on_rails0.8.0
rubyonrailsruby_on_rails0.8.5
rubyonrailsruby_on_rails0.9.0
rubyonrailsruby_on_rails3.0.4
rubyonrailsrails3.1.0
rubyonrailsrails3.1.1
rubyonrailsrails3.1.2
rubyonrailsrails3.1.3
rubyonrailsrails3.1.4
rubyonrailsrails3.1.5
rubyonrailsrails3.1.6
rubyonrailsrails3.1.7
rubyonrailsrails3.2.0
rubyonrailsrails3.2.1
rubyonrailsrails3.2.2
rubyonrailsrails3.2.3
rubyonrailsrails3.2.4
rubyonrailsrails3.2.5
rubyonrailsrails3.2.6
rubyonrailsrails3.2.7

References

CWEs

CWE-79

Verify integrity in audit chain (admin only). AS-IS.