The Ruby on Rails developers have released version 2.3.11 and 3.0.4 of Ruby on Rails which are maintenance and security updates that address four security vulnerabilities in the open source web framework.
According to the developers, the latest updates address a cross-site scripting (XSS) vulnerability in the mail_to helper when used with the :encode => :javascript option, as well as a cross-site request forgery (CSRF) vulnerability that could allow an attacker to circumvent built-in protections. All versions up to and including 2.3.10 and 3.0.3 are said to be affected.

Two vulnerabilities which only affect the 3.0.x branch of Ruby on Rails have also been corrected; an SQL injection issue with the limit() method and a weakness in the file-system filtering code. The developers strongly advise all users to update to the latest versions as soon as possible.

The link for this article located at H Security is no longer available.