Moderate severityNVD Advisory· Published Jun 14, 2007· Updated Apr 23, 2026
CVE-2007-3227
CVE-2007-3227
Description
Cross-site scripting (XSS) vulnerability in the to_json (ActiveRecord::Base#to_json) function in Ruby on Rails before edge 9606 allows remote attackers to inject arbitrary web script via the input values.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
railsRubyGems | < 1.2.5 | 1.2.5 |
Affected products
1- cpe:2.3:a:rubyonrails:rails:1.1.5:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
16- www.securityfocus.com/bid/24161nvdExploitWEB
- secunia.com/advisories/25699nvdVendor AdvisoryWEB
- secunia.com/advisories/27657nvdVendor AdvisoryWEB
- secunia.com/advisories/27756nvdVendor AdvisoryWEB
- www.vupen.com/english/advisories/2007/2216nvdVendor AdvisoryWEB
- github.com/advisories/GHSA-gm25-fpmr-43fjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2007-3227ghsaADVISORY
- bugs.gentoo.org/show_bug.cginvdWEB
- dev.rubyonrails.org/ticket/8371nvdWEB
- osvdb.org/36378nvdWEB
- pastie.caboo.se/65550.txtnvdWEB
- security.gentoo.org/glsa/glsa-200711-17.xmlnvdWEB
- weblog.rubyonrails.org/2007/10/12/rails-1-2-5-maintenance-releasenvdWEB
- weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-releasenvdWEB
- www.novell.com/linux/security/advisories/2007_24_sr.htmlnvdWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2007-3227.ymlghsaWEB
News mentions
0No linked articles in our index yet.