CVE-2009-3009: Cross site scripting that affects rails

October 24, 2017 (updated April 9, 2025)

Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings into a form helper.

References

exchange.xforce.ibmcloud.com/vulnerabilities/53036
github.com/advisories/GHSA-8qrh-h9m2-5fvf
github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2009-3009.yml
nvd.nist.gov/vuln/detail/CVE-2009-3009

Code Behaviors & Features

Detect and mitigate CVE-2009-3009 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →