VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-3zdr-vasc-a7cn

Essentials
Severities (27)
References (23)
Severity details (18)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-3zdr-vasc-a7cn
Aliases	CVE-2009-3009 GHSA-8qrh-h9m2-5fvf OSV-57666
Summary	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings into a form helper.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
generic_textual	MODERATE	http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545063
generic_textual	MODERATE	http://groups.google.com/group/rubyonrails-security/msg/7f57cd7794e1d1b4?dmode=source
generic_textual	MODERATE	http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
generic_textual	MODERATE	http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html
epss	0.01632	https://api.first.org/data/v1/epss?cve=CVE-2009-3009
epss	0.01632	https://api.first.org/data/v1/epss?cve=CVE-2009-3009
epss	0.01632	https://api.first.org/data/v1/epss?cve=CVE-2009-3009
epss	0.01632	https://api.first.org/data/v1/epss?cve=CVE-2009-3009
epss	0.01632	https://api.first.org/data/v1/epss?cve=CVE-2009-3009
epss	0.01632	https://api.first.org/data/v1/epss?cve=CVE-2009-3009
epss	0.01632	https://api.first.org/data/v1/epss?cve=CVE-2009-3009
epss	0.01632	https://api.first.org/data/v1/epss?cve=CVE-2009-3009
epss	0.01632	https://api.first.org/data/v1/epss?cve=CVE-2009-3009
generic_textual	MODERATE	http://secunia.com/advisories/36600
generic_textual	MODERATE	http://secunia.com/advisories/36717
generic_textual	MODERATE	http://securitytracker.com/id?1022824
generic_textual	MODERATE	https://exchange.xforce.ibmcloud.com/vulnerabilities/53036
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-8qrh-h9m2-5fvf
generic_textual	MODERATE	https://github.com/advisories/GHSA-8qrh-h9m2-5fvf
generic_textual	MODERATE	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2009-3009.yml
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2009-3009
generic_textual	MODERATE	http://support.apple.com/kb/HT4077
generic_textual	MODERATE	http://weblog.rubyonrails.org/2009/9/4/xss-vulnerability-in-ruby-on-rails
generic_textual	MODERATE	http://www.debian.org/security/2009/dsa-1887
generic_textual	MODERATE	http://www.osvdb.org/57666
generic_textual	MODERATE	http://www.securityfocus.com/bid/36278
generic_textual	MODERATE	http://www.vupen.com/english/advisories/2009/2544

Reference id	Reference type	URL
		http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545063
		http://groups.google.com/group/rubyonrails-security/msg/7f57cd7794e1d1b4?dmode=source
		http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
		http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-3009.json
		https://api.first.org/data/v1/epss?cve=CVE-2009-3009
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3009
		http://secunia.com/advisories/36600
		http://secunia.com/advisories/36717
		http://securitytracker.com/id?1022824
		https://exchange.xforce.ibmcloud.com/vulnerabilities/53036
		http://support.apple.com/kb/HT4077
		http://weblog.rubyonrails.org/2009/9/4/xss-vulnerability-in-ruby-on-rails
		http://www.debian.org/security/2009/dsa-1887
		http://www.osvdb.org/57666
		http://www.securityfocus.com/bid/36278
		http://www.vupen.com/english/advisories/2009/2544
520843		https://bugzilla.redhat.com/show_bug.cgi?id=520843
545063		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545063
CVE-2009-3009		https://nvd.nist.gov/vuln/detail/CVE-2009-3009
CVE-2009-3009.YML		https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2009-3009.yml
GHSA-8qrh-h9m2-5fvf		https://github.com/advisories/GHSA-8qrh-h9m2-5fvf
GLSA-200912-02		https://security.gentoo.org/glsa/200912-02

No exploits are available.

Exploit Prediction Scoring System (EPSS)

Percentile	0.81837
EPSS Score	0.01632
Published At	April 1, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T12:47:25.372428+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rails/CVE-2009-3009.yml	38.0.0