Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-5a2t-fre4-zkay
Vulnerability ID VCID-5a2t-fre4-zkay
Aliases CVE-2012-1099
GHSA-2xjj-5x6h-8vmf
OSV-79727
Summary Cross-site Scripting in actionpack Cross-site scripting (XSS) vulnerability in `actionpack/lib/action_view/helpers/form_options_helper.rb` in the select helper in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving certain generation of OPTION elements within SELECT elements.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
generic_textual MODERATE http://groups.google.com/group/rubyonrails-security/msg/6fca4f5c47705488?dmode=source&output=gplain
generic_textual MODERATE http://lists.fedoraproject.org/pipermail/package-announce/2012-March/075675.html
generic_textual MODERATE http://lists.fedoraproject.org/pipermail/package-announce/2012-March/075740.html
epss 0.00399 https://api.first.org/data/v1/epss?cve=CVE-2012-1099
generic_textual MODERATE https://bugzilla.redhat.com/show_bug.cgi?id=799276
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-2xjj-5x6h-8vmf
generic_textual MODERATE https://github.com/advisories/GHSA-2xjj-5x6h-8vmf
generic_textual MODERATE https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2012-1099.yml
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2012-1099
generic_textual MODERATE http://weblog.rubyonrails.org/2012/3/1/ann-rails-3-0-12-has-been-released
generic_textual MODERATE http://www.debian.org/security/2012/dsa-2466
generic_textual MODERATE http://www.openwall.com/lists/oss-security/2012/03/02/6
generic_textual MODERATE http://www.openwall.com/lists/oss-security/2012/03/03/1
Reference id Reference type URL
http://groups.google.com/group/rubyonrails-security/msg/6fca4f5c47705488?dmode=source&output=gplain
http://lists.fedoraproject.org/pipermail/package-announce/2012-March/075675.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-March/075740.html
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-1099.json
https://api.first.org/data/v1/epss?cve=CVE-2012-1099
https://bugzilla.redhat.com/show_bug.cgi?id=799276
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1099
https://github.com/advisories/GHSA-2xjj-5x6h-8vmf
https://github.com/rails/rails/commit/9435f5a479317458c558ae743b7d876dd5a5db20
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2012-1099.yml
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/OSVDB-79727.yml
https://nvd.nist.gov/vuln/detail/CVE-2012-1099
http://weblog.rubyonrails.org/2012/3/1/ann-rails-3-0-12-has-been-released
http://www.debian.org/security/2012/dsa-2466
http://www.openwall.com/lists/oss-security/2012/03/02/6
http://www.openwall.com/lists/oss-security/2012/03/03/1
No exploits are available.
Exploit Prediction Scoring System (EPSS)
Percentile 0.60937
EPSS Score 0.00399
Published At May 29, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-05-29T08:57:03.255441+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-2xjj-5x6h-8vmf/GHSA-2xjj-5x6h-8vmf.json 38.6.0