CVE-2007-3227 : Cross-site scripting (XSS) vulnerability in the to_json (ActiveRecord::Base#to

Cross-site scripting (XSS) vulnerability in the to_json (ActiveRecord::Base#to_json) function in Ruby on Rails before edge 9606 allows remote attackers to inject arbitrary web script via the input values.

Published 2007-06-14 23:30:00

Updated 2025-04-09 00:30:58

Source MITRE

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)

Products affected by CVE-2007-3227

Rubyonrails » Rails » Version: 1.1.5
cpe:2.3:a:rubyonrails:rails:1.1.5:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2007-3227

EPSS FAQ

15.08%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 94 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2007-3227

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:P/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None

CWE ids for CVE-2007-3227

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2007-3227

http://secunia.com/advisories/25699

About Secunia Research | Flexera
Vendor Advisory
http://pastie.caboo.se/65550.txt
http://weblog.rubyonrails.org/2007/10/12/rails-1-2-5-maintenance-release

Ruby on Rails — Rails 1.2.5: Security and maintenance release
http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release

Ruby on Rails — Rails 1.2.4: Maintenance release

CVEs referencing this url
http://dev.rubyonrails.org/ticket/8371
http://bugs.gentoo.org/show_bug.cgi?id=195315

195315 – dev-ruby/rails <1.2.5 Multiple vulnerabilities (CVE-2007-{3227,5379,5380})

CVEs referencing this url
http://secunia.com/advisories/27657

About Secunia Research | Flexera
Vendor Advisory

CVEs referencing this url
http://secunia.com/advisories/27756

About Secunia Research | Flexera
Vendor Advisory

CVEs referencing this url
http://security.gentoo.org/glsa/glsa-200711-17.xml

Ruby on Rails: Multiple vulnerabilities (GLSA 200711-17) — Gentoo security

CVEs referencing this url
http://www.vupen.com/english/advisories/2007/2216

Webmail: access your OVH emails on ovhcloud.com | OVHcloud
Vendor Advisory
http://osvdb.org/36378
http://www.novell.com/linux/security/advisories/2007_24_sr.html

Security - Support | SUSE

CVEs referencing this url
http://www.securityfocus.com/bid/24161

Exploit

Jump to

Vulnerability Details : CVE-2007-3227

Products affected by CVE-2007-3227

Exploit prediction scoring system (EPSS) score for CVE-2007-3227

CVSS scores for CVE-2007-3227

CWE ids for CVE-2007-3227

References for CVE-2007-3227