The developers of Ruby on Rails, the popular web app framework, released four new versions of the product yesterday, complete with fixes for a series of vulnerabilities that could have lead to denial of service attacks and XSS injections.
Four vulnerabilities in total are addressed in versions 3.2.13, 3.1.12 and 2.3.18 of Rails, according to a post to the company’s blog on Monday. “All versions are impacted by one or more of these security issues,” according to the post.
A symbol denial of service (DoS) vulnerability (CVE-2013-1854) in Rails’ ActiveRecord function, two cross-site scripting vulnerabilities, one in the sanitize helper (CVE-2013-1857) and one in the sanitize_css method in Action Pack (CVE-2013-1855) were patched.
An additional XML parsing vulnerability in the JDOM backend of ActiveSupport could have also allowed an attacker to perform a denial-of-service attack or gain access to files stored on the application server when using JRuby (CVE-2013-1856) according to one of the warnings.
The XSS vulnerabilities in particular could have allowed an attacker to embed a tag containing a URL that executes arbitrary JavaScript code.
Ruby on Rails contributor Aaron Patterson goes deeper into the vulnerabilities – and potential workarounds – on the group’s Google Groups page here while the updates, which users are encouraged to apply as soon as possible, are available here.
The group fixed a slew of similar issues in Ruby on Rails around this time last month, including a YAML flaw in ActiveRecord that lead to remote code execution.