Moderate severityNVD Advisory· Published Aug 29, 2011· Updated Apr 29, 2026
CVE-2011-2932
CVE-2011-2932
Description
Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails 2.x before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a malformed Unicode string, related to a "UTF-8 escaping vulnerability."
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
activesupportRubyGems | >= 2.0.0, < 2.3.13 | 2.3.13 |
activesupportRubyGems | >= 3.0.0, < 3.0.10 | 3.0.10 |
Affected products
60cpe:2.3:a:rubyonrails:rails:2.0.0:*:*:*:*:*:*:*+ 57 more
- cpe:2.3:a:rubyonrails:rails:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:2.0.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:2.0.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:2.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:2.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:2.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:2.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:2.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:2.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:2.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:2.3.11:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:2.3.12:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*
Patches
1bfc432574d0bproperly escape html to avoid invalid utf8 causing XSS attacks
2 files changed · +8 −1
activesupport/lib/active_support/core_ext/string/output_safety.rb+1 −1 modified@@ -20,7 +20,7 @@ def html_escape(s) if s.html_safe? s else - s.gsub(/[&"><]/) { |special| HTML_ESCAPE[special] }.html_safe + s.to_s.gsub(/&/, "&").gsub(/\"/, """).gsub(/>/, ">").gsub(/</, "<").html_safe end end
activesupport/test/core_ext/string_ext_test.rb+7 −0 modified@@ -7,10 +7,17 @@ require 'active_support/core_ext/string' require 'active_support/time' require 'active_support/core_ext/string/strip' +require 'active_support/core_ext/string/output_safety' class StringInflectionsTest < Test::Unit::TestCase include InflectorTestCases + def test_erb_escape + string = [192, 60].pack('CC') + expected = 192.chr + "<" + assert_equal expected, ERB::Util.html_escape(string) + end + def test_strip_heredoc_on_an_empty_string assert_equal '', ''.strip_heredoc end
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
17- groups.google.com/group/rubyonrails-security/msg/f1d2749773db9f21nvdPatchWEB
- weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6nvdPatchWEB
- www.openwall.com/lists/oss-security/2011/08/17/1nvdPatchWEB
- www.openwall.com/lists/oss-security/2011/08/19/11nvdPatchWEB
- www.openwall.com/lists/oss-security/2011/08/20/1nvdPatchWEB
- www.openwall.com/lists/oss-security/2011/08/22/13nvdPatchWEB
- www.openwall.com/lists/oss-security/2011/08/22/5nvdPatchWEB
- bugzilla.redhat.com/show_bug.cginvdPatchWEB
- github.com/rails/rails/commit/bfc432574d0b141fd7fe759edfe9b6771dd306bdnvdPatchWEB
- github.com/advisories/GHSA-9fh3-vh3h-q4g3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2011-2932ghsaADVISORY
- lists.fedoraproject.org/pipermail/package-announce/2011-September/065114.htmlnvdWEB
- lists.fedoraproject.org/pipermail/package-announce/2011-September/065189.htmlnvdWEB
- lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.htmlnvdWEB
- www.openwall.com/lists/oss-security/2011/08/22/14nvdWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2011-2932.ymlghsaWEB
- secunia.com/advisories/45917nvd
News mentions
0No linked articles in our index yet.