--- 
gem: actionpack
framework: rails
cve: 2012-1099
osvdb: 79727
url: http://www.osvdb.org/show/osvdb/79727
title:
  Ruby on Rails actionpack/lib/action_view/helpers/form_options_helper.rb
  Manually Generated Select Tag Options XSS
date: 2012-03-01

description: |
  Ruby on Rails contains a flaw that allows a remote cross-site scripting (XSS) 
  attack. This flaw exists because the application does not validate manually
  generated 'select tag options' upon submission to
  actionpack/lib/action_view/helpers/form_options_helper.rb. This may allow a
  user to create a specially crafted request that would execute arbitrary
  script code in a user's browser within the trust relationship between their
  browser and the server.

cvss_v2: 4.3

patched_versions: 
  - ~> 3.0.12
  - ~> 3.1.4
  - ">= 3.2.2"