---
url: http://www.osvdb.org/show/osvdb/79727
title: Ruby on Rails actionpack/lib/action_view/helpers/form_options_helper.rb Manually Generated Select Tag Options XSS

description: >
  Ruby on Rails contains a flaw that allows a remote cross-site
  scripting (XSS) attack. This flaw exists because the application does
  not validate manually generated 'select tag options' upon submission
  to actionpack/lib/action_view/helpers/form_options_helper.rb. This may
  allow a user to create a specially crafted request that would execute
  arbitrary script code in a user's browser within the trust
  relationship between their browser and the server.

cvss_v2: 4.3

patched_versions:
  - ~> 3.0.12
  - ~> 3.1.4
  - ">= 3.2.2"