Moderate severityNVD Advisory· Published Jul 26, 2015· Updated May 6, 2026
CVE-2015-3226
CVE-2015-3226
Description
Cross-site scripting (XSS) vulnerability in json/encoding.rb in Active Support in Ruby on Rails 3.x and 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted Hash that is mishandled during JSON encoding.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
activesupportRubyGems | >= 4.1.0, < 4.1.11 | 4.1.11 |
activesupportRubyGems | >= 4.2.0, < 4.2.2 | 4.2.2 |
Affected products
31cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*+ 29 more
- cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.9:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.12:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.13:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.15:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.16:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.2.17:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.8:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- github.com/advisories/GHSA-vxvp-4xwc-jpp6ghsaADVISORY
- groups.google.com/forum/message/rawnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2015-3226ghsaADVISORY
- openwall.com/lists/oss-security/2015/06/16/17nvdWEB
- www.debian.org/security/2016/dsa-3464nvdWEB
- groups.google.com/g/rubyonrails-core/c/qBUqVlXERag/m/kuH3wQk1kxUJghsaWEB
- web.archive.org/web/20200228033946/http://www.securityfocus.com/bid/75231ghsaWEB
- web.archive.org/web/20200517005133/http://www.securitytracker.com/id/1033755ghsaWEB
- www.securityfocus.com/bid/75231nvd
- www.securitytracker.com/id/1033755nvd
News mentions
0No linked articles in our index yet.