{"url":"http://public2.vulnerablecode.io/api/packages/54508?format=json","purl":"pkg:gem/activesupport@2.3.0","type":"gem","namespace":"","name":"activesupport","version":"2.3.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"7.2.3.1","latest_non_vulnerable_version":"8.1.2.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39059?format=json","vulnerability_id":"VCID-hdu6-u2pb-aqhp","summary":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nCross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings into a form helper.","references":[{"reference_url":"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545063","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545063"},{"reference_url":"http://groups.google.com/group/rubyonrails-security/msg/7f57cd7794e1d1b4?dmode=source","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://groups.google.com/group/rubyonrails-security/msg/7f57cd7794e1d1b4?dmode=source"},{"reference_url":"http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-3009.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-3009.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2009-3009","reference_id":"","reference_type":"","scores":[{"value":"0.01632","scoring_system":"epss","scoring_elements":"0.82272","published_at":"2026-06-05T12:55:00Z"},{"value":"0.01632","scoring_system":"epss","scoring_elements":"0.82243","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2009-3009"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3009","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3009"},{"reference_url":"http://secunia.com/advisories/36600","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://secunia.com/advisories/36600"},{"reference_url":"http://secunia.com/advisories/36717","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://secunia.com/advisories/36717"},{"reference_url":"http://securitytracker.com/id?1022824","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://securitytracker.com/id?1022824"},{"reference_url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/53036","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/53036"},{"reference_url":"http://support.apple.com/kb/HT4077","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://support.apple.com/kb/HT4077"},{"reference_url":"http://weblog.rubyonrails.org/2009/9/4/xss-vulnerability-in-ruby-on-rails","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://weblog.rubyonrails.org/2009/9/4/xss-vulnerability-in-ruby-on-rails"},{"reference_url":"http://www.debian.org/security/2009/dsa-1887","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.debian.org/security/2009/dsa-1887"},{"reference_url":"http://www.osvdb.org/57666","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.osvdb.org/57666"},{"reference_url":"http://www.securityfocus.com/bid/36278","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securityfocus.com/bid/36278"},{"reference_url":"http://www.vupen.com/english/advisories/2009/2544","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.vupen.com/english/advisories/2009/2544"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=520843","reference_id":"520843","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=520843"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545063","reference_id":"545063","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545063"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2009-3009","reference_id":"CVE-2009-3009","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2009-3009"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2009-3009.yml","reference_id":"CVE-2009-3009.YML","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2009-3009.yml"},{"reference_url":"https://github.com/advisories/GHSA-8qrh-h9m2-5fvf","reference_id":"GHSA-8qrh-h9m2-5fvf","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8qrh-h9m2-5fvf"},{"reference_url":"https://security.gentoo.org/glsa/200912-02","reference_id":"GLSA-200912-02","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/200912-02"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/54509?format=json","purl":"pkg:gem/activesupport@2.3.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1ad4-q567-8qcq"},{"vulnerability":"VCID-7s2b-9sgy-4qb4"},{"vulnerability":"VCID-839h-sa86-2be5"},{"vulnerability":"VCID-a7v6-afbj-qkhy"},{"vulnerability":"VCID-abr5-xar6-ekcy"},{"vulnerability":"VCID-bq89-45d8-67a3"},{"vulnerability":"VCID-chxq-j9us-cygh"},{"vulnerability":"VCID-gyn1-xnr1-r3db"},{"vulnerability":"VCID-hdu6-u2pb-aqhp"},{"vulnerability":"VCID-jkk1-jx5j-q3ch"},{"vulnerability":"VCID-kcmy-x97t-pbc3"},{"vulnerability":"VCID-metq-6w6t-wkdw"},{"vulnerability":"VCID-p62q-tuq8-7ubx"},{"vulnerability":"VCID-upyj-312m-cyhg"},{"vulnerability":"VCID-y8nc-5c1w-c3ed"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@2.3.4"}],"aliases":["CVE-2009-3009","GHSA-8qrh-h9m2-5fvf","OSV-57666"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hdu6-u2pb-aqhp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39068?format=json","vulnerability_id":"VCID-jkk1-jx5j-q3ch","summary":"Exposure of Sensitive Information to an Unauthorized Actor\nA certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x before 2.3.4, leaks information about the complexity of message-digest signature verification in the cookie store, which might allow remote attackers to forge a digest via multiple attempts.","references":[{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2009-3086","reference_id":"","reference_type":"","scores":[{"value":"0.00556","scoring_system":"epss","scoring_elements":"0.68559","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00556","scoring_system":"epss","scoring_elements":"0.68518","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2009-3086"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3086","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3086"},{"reference_url":"http://secunia.com/advisories/36600","reference_id":"","reference_type":"","scores":[],"url":"http://secunia.com/advisories/36600"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/commit/1f07a89c5946910fc28ea5ccd1da6af8a0f972a0","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/1f07a89c5946910fc28ea5ccd1da6af8a0f972a0"},{"reference_url":"https://github.com/rails/rails/commit/674f780d59a5a7ec0301755d43a7b277a3ad2978","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/674f780d59a5a7ec0301755d43a7b277a3ad2978"},{"reference_url":"https://github.com/rails/rails/commit/d460c9a25560f43e7c3789abadf7b455053eb686","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/d460c9a25560f43e7c3789abadf7b455053eb686"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2009-3086.yml","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2009-3086.yml"},{"reference_url":"https://web.archive.org/web/20090906010200/http://www.vupen.com/english/advisories/2009/2544","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20090906010200/http://www.vupen.com/english/advisories/2009/2544"},{"reference_url":"https://web.archive.org/web/20090907001716/http://secunia.com/advisories/36600","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20090907001716/http://secunia.com/advisories/36600"},{"reference_url":"https://web.archive.org/web/20200229150042/http://www.securityfocus.com/bid/37427","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20200229150042/http://www.securityfocus.com/bid/37427"},{"reference_url":"http://weblog.rubyonrails.org/2009/9/4/timing-weakness-in-ruby-on-rails","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://weblog.rubyonrails.org/2009/9/4/timing-weakness-in-ruby-on-rails"},{"reference_url":"http://www.debian.org/security/2011/dsa-2260","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.debian.org/security/2011/dsa-2260"},{"reference_url":"http://www.securityfocus.com/bid/37427","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/37427"},{"reference_url":"http://www.vupen.com/english/advisories/2009/2544","reference_id":"","reference_type":"","scores":[],"url":"http://www.vupen.com/english/advisories/2009/2544"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545063","reference_id":"545063","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545063"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2009-3086","reference_id":"CVE-2009-3086","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2009-3086"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2009-3086.yml","reference_id":"CVE-2009-3086.YML","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2009-3086.yml"},{"reference_url":"https://github.com/advisories/GHSA-fg9w-g6m4-557j","reference_id":"GHSA-fg9w-g6m4-557j","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fg9w-g6m4-557j"},{"reference_url":"https://security.gentoo.org/glsa/200912-02","reference_id":"GLSA-200912-02","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/200912-02"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/54509?format=json","purl":"pkg:gem/activesupport@2.3.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1ad4-q567-8qcq"},{"vulnerability":"VCID-7s2b-9sgy-4qb4"},{"vulnerability":"VCID-839h-sa86-2be5"},{"vulnerability":"VCID-a7v6-afbj-qkhy"},{"vulnerability":"VCID-abr5-xar6-ekcy"},{"vulnerability":"VCID-bq89-45d8-67a3"},{"vulnerability":"VCID-chxq-j9us-cygh"},{"vulnerability":"VCID-gyn1-xnr1-r3db"},{"vulnerability":"VCID-hdu6-u2pb-aqhp"},{"vulnerability":"VCID-jkk1-jx5j-q3ch"},{"vulnerability":"VCID-kcmy-x97t-pbc3"},{"vulnerability":"VCID-metq-6w6t-wkdw"},{"vulnerability":"VCID-p62q-tuq8-7ubx"},{"vulnerability":"VCID-upyj-312m-cyhg"},{"vulnerability":"VCID-y8nc-5c1w-c3ed"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@2.3.4"}],"aliases":["CVE-2009-3086","GHSA-fg9w-g6m4-557j"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jkk1-jx5j-q3ch"}],"fixing_vulnerabilities":[],"risk_score":"3.1","resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@2.3.0"}