Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-ejgq-s79w-abd6
Vulnerability ID VCID-ejgq-s79w-abd6
Aliases CVE-2011-2197
GHSA-v9v4-7jp6-8c73
Summary rails Cross-site Scripting vulnerability The cross-site scripting (XSS) prevention feature in Ruby on Rails 2.x before 2.3.12, 3.0.x before 3.0.8, and 3.1.x before 3.1.0.rc2 does not properly handle mutation of safe buffers, which makes it easier for remote attackers to conduct XSS attacks via crafted strings to an application that uses a problematic string method, as demonstrated by the sub method.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
generic_textual MODERATE http://groups.google.com/group/rubyonrails-security/msg/663b600d4471e0d4?dmode=source&output=gplain
generic_textual MODERATE http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062514.html
generic_textual MODERATE http://lists.fedoraproject.org/pipermail/package-announce/2011-June/062090.html
generic_textual MODERATE http://openwall.com/lists/oss-security/2011/06/09/2
generic_textual MODERATE http://openwall.com/lists/oss-security/2011/06/13/9
epss 0.00442 https://api.first.org/data/v1/epss?cve=CVE-2011-2197
generic_textual MODERATE https://gist.github.com/NZKoz/b2ceb626fc2bcdfe497f
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-v9v4-7jp6-8c73
generic_textual MODERATE https://github.com/rails/rails
generic_textual MODERATE https://github.com/rails/rails/commit/53a2c0baf2b128dd4808eca313256f6f4bb8c4cd
generic_textual MODERATE https://github.com/rails/rails/commit/ed3796434af6069ced6a641293cf88eef3b284da
generic_textual MODERATE https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2011-2197.yml
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2011-2197
generic_textual MODERATE http://weblog.rubyonrails.org/2011/6/8/potential-xss-vulnerability-in-ruby-on-rails-applications
Reference id Reference type URL
http://groups.google.com/group/rubyonrails-security/msg/663b600d4471e0d4?dmode=source&output=gplain
http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062514.html
http://lists.fedoraproject.org/pipermail/package-announce/2011-June/062090.html
http://openwall.com/lists/oss-security/2011/06/09/2
http://openwall.com/lists/oss-security/2011/06/13/9
https://api.first.org/data/v1/epss?cve=CVE-2011-2197
http://secunia.com/advisories/44789
https://gist.github.com/NZKoz/b2ceb626fc2bcdfe497f
https://github.com/rails/rails
https://github.com/rails/rails/commit/53a2c0baf2b128dd4808eca313256f6f4bb8c4cd
https://github.com/rails/rails/commit/ed3796434af6069ced6a641293cf88eef3b284da
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2011-2197.yml
https://nvd.nist.gov/vuln/detail/CVE-2011-2197
http://weblog.rubyonrails.org/2011/6/8/potential-xss-vulnerability-in-ruby-on-rails-applications
GHSA-v9v4-7jp6-8c73 https://github.com/advisories/GHSA-v9v4-7jp6-8c73
No exploits are available.
Exploit Prediction Scoring System (EPSS)
Percentile 0.63551
EPSS Score 0.00442
Published At May 29, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-05-29T08:57:01.101469+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-v9v4-7jp6-8c73/GHSA-v9v4-7jp6-8c73.json 38.6.0