VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-mvfq-sajq-bfb9

Essentials
Severities (21)
References (22)
Severity details (20)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-mvfq-sajq-bfb9
Aliases	CVE-2009-4214 GHSA-9p3v-wf2w-v29c
Summary	Moderate severity vulnerability that affects rails Cross-site scripting (XSS) vulnerability in the strip_tags function in Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote attackers to inject arbitrary web script or HTML via vectors involving non-printing ASCII characters, related to HTML::Tokenizer and actionpack/lib/action_controller/vendor/html-scanner/html/node.rb.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
generic_textual	MODERATE	http://github.com/rails/rails
generic_textual	MODERATE	http://github.com/rails/rails/commit/bfe032858077bb2946abe25e95e485ba6da86bd5
generic_textual	MODERATE	http://groups.google.com/group/rubyonrails-security/browse_thread/thread/4d4f71f2aef4c0ab?pli=1
generic_textual	MODERATE	http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
generic_textual	MODERATE	http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html
epss	0.01632	https://api.first.org/data/v1/epss?cve=CVE-2009-4214
generic_textual	MODERATE	http://secunia.com/advisories/37446
generic_textual	MODERATE	http://secunia.com/advisories/38915
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-9p3v-wf2w-v29c
generic_textual	MODERATE	https://github.com/advisories/GHSA-9p3v-wf2w-v29c
generic_textual	MODERATE	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2009-4214.yml
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2009-4214
generic_textual	MODERATE	http://support.apple.com/kb/HT4077
generic_textual	MODERATE	http://weblog.rubyonrails.org/2009/11/30/ruby-on-rails-2-3-5-released
generic_textual	MODERATE	http://www.debian.org/security/2011/dsa-2260
generic_textual	MODERATE	http://www.debian.org/security/2011/dsa-2301
generic_textual	MODERATE	http://www.openwall.com/lists/oss-security/2009/11/27/2
generic_textual	MODERATE	http://www.openwall.com/lists/oss-security/2009/12/08/3
generic_textual	MODERATE	http://www.securityfocus.com/bid/37142
generic_textual	MODERATE	http://www.securitytracker.com/id?1023245
generic_textual	MODERATE	http://www.vupen.com/english/advisories/2009/3352

Reference id	Reference type	URL
		http://github.com/rails/rails
		http://github.com/rails/rails/commit/bfe032858077bb2946abe25e95e485ba6da86bd5
		http://groups.google.com/group/rubyonrails-security/browse_thread/thread/4d4f71f2aef4c0ab?pli=1
		http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
		http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html
		https://api.first.org/data/v1/epss?cve=CVE-2009-4214
		http://secunia.com/advisories/37446
		http://secunia.com/advisories/38915
		http://support.apple.com/kb/HT4077
		http://weblog.rubyonrails.org/2009/11/30/ruby-on-rails-2-3-5-released
		http://www.debian.org/security/2011/dsa-2260
		http://www.debian.org/security/2011/dsa-2301
		http://www.openwall.com/lists/oss-security/2009/11/27/2
		http://www.openwall.com/lists/oss-security/2009/12/08/3
		http://www.securityfocus.com/bid/37142
		http://www.securitytracker.com/id?1023245
		http://www.vupen.com/english/advisories/2009/3352
558685		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=558685
CVE-2009-4214		https://nvd.nist.gov/vuln/detail/CVE-2009-4214
CVE-2009-4214.YML		https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2009-4214.yml
GHSA-9p3v-wf2w-v29c		https://github.com/advisories/GHSA-9p3v-wf2w-v29c
GLSA-200912-02		https://security.gentoo.org/glsa/200912-02

No exploits are available.

Exploit Prediction Scoring System (EPSS)

Percentile	0.82215
EPSS Score	0.01632
Published At	May 30, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-05-30T20:53:09.414874+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rails/CVE-2009-4214.yml	38.6.0