Filtered by vendor Rubyonrails
Subscribe
Total
132 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2016-6316 | 2 Debian, Rubyonrails | 3 Debian Linux, Rails, Ruby On Rails | 2025-04-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Action View in Ruby on Rails 3.x before 3.2.22.3, 4.x before 4.2.7.1, and 5.x before 5.0.0.1 might allow remote attackers to inject arbitrary web script or HTML via text declared as "HTML safe" and used as attribute values in tag handlers. | |||||
| CVE-2016-0751 | 1 Rubyonrails | 2 Rails, Ruby On Rails | 2025-04-12 | 5.0 MEDIUM | 7.5 HIGH |
| actionpack/lib/action_dispatch/http/mime_type.rb in Action Pack in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly restrict use of the MIME type cache, which allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP Accept header. | |||||
| CVE-2014-7818 | 2 Opensuse, Rubyonrails | 3 Opensuse, Rails, Ruby On Rails | 2025-04-12 | 4.3 MEDIUM | N/A |
| Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and 4.2.x before 4.2.0.beta3, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via a /..%2F sequence. | |||||
| CVE-2014-3482 | 1 Rubyonrails | 2 Rails, Ruby On Rails | 2025-04-12 | 7.5 HIGH | N/A |
| SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 2.x and 3.x before 3.2.19 allows remote attackers to execute arbitrary SQL commands by leveraging improper bitstring quoting. | |||||
| CVE-2015-7576 | 1 Rubyonrails | 2 Rails, Ruby On Rails | 2025-04-12 | 4.3 MEDIUM | 3.7 LOW |
| The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences. | |||||
| CVE-2016-0753 | 4 Debian, Fedoraproject, Opensuse and 1 more | 4 Debian Linux, Fedora, Leap and 1 more | 2025-04-12 | 5.0 MEDIUM | 5.3 MEDIUM |
| Active Model in Ruby on Rails 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 supports the use of instance-level writers for class accessors, which allows remote attackers to bypass intended validation steps via crafted parameters. | |||||
| CVE-2015-3227 | 2 Opensuse, Rubyonrails | 2 Opensuse, Rails | 2025-04-12 | 5.0 MEDIUM | N/A |
| The (1) jdom.rb and (2) rexml.rb components in Active Support in Ruby on Rails before 4.1.11 and 4.2.x before 4.2.2, when JDOM or REXML is enabled, allow remote attackers to cause a denial of service (SystemStackError) via a large XML document depth. | |||||
| CVE-2015-7580 | 1 Rubyonrails | 2 Html Sanitizer, Rails | 2025-04-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in lib/rails/html/scrubbers.rb in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via a crafted CDATA node. | |||||
| CVE-2014-0080 | 1 Rubyonrails | 1 Rails | 2025-04-11 | 6.8 MEDIUM | N/A |
| SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/cast.rb in Active Record in Ruby on Rails 4.0.x before 4.0.3, and 4.1.0.beta1, when PostgreSQL is used, allows remote attackers to execute "add data" SQL commands via vectors involving \ (backslash) characters that are not properly handled in operations on array columns. | |||||
| CVE-2013-6415 | 1 Rubyonrails | 2 Rails, Ruby On Rails | 2025-04-11 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the number_to_currency helper in actionpack/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the unit parameter. | |||||
| CVE-2013-1855 | 2 Redhat, Rubyonrails | 3 Enterprise Linux, Rails, Ruby On Rails | 2025-04-11 | 4.3 MEDIUM | N/A |
| The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle \n (newline) characters, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences. | |||||
| CVE-2010-3933 | 1 Rubyonrails | 1 Rails | 2025-04-11 | 6.4 MEDIUM | N/A |
| Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs. | |||||
| CVE-2013-0277 | 1 Rubyonrails | 2 Rails, Ruby On Rails | 2025-04-11 | 10.0 HIGH | N/A |
| ActiveRecord in Ruby on Rails before 2.3.17 and 3.x before 3.1.0 allows remote attackers to cause a denial of service or execute arbitrary code via crafted serialized attributes that cause the +serialize+ helper to deserialize arbitrary YAML. | |||||
| CVE-2013-0276 | 1 Rubyonrails | 1 Rails | 2025-04-11 | 4.3 MEDIUM | N/A |
| ActiveRecord in Ruby on Rails before 2.3.17, 3.1.x before 3.1.11, and 3.2.x before 3.2.12 allows remote attackers to bypass the attr_protected protection mechanism and modify protected model attributes via a crafted request. | |||||
| CVE-2012-6497 | 1 Rubyonrails | 1 Rails | 2025-04-11 | 5.0 MEDIUM | N/A |
| The Authlogic gem for Ruby on Rails, when used with certain versions before 3.2.10, makes potentially unsafe find_by_id method calls, which might allow remote attackers to conduct CVE-2012-6496 SQL injection attacks via a crafted parameter in environments that have a known secret_token value, as demonstrated by a value contained in secret_token.rb in an open-source product. | |||||
| CVE-2013-1854 | 2 Redhat, Rubyonrails | 3 Enterprise Linux, Rails, Ruby On Rails | 2025-04-11 | 5.0 MEDIUM | N/A |
| The Active Record component in Ruby on Rails 2.3.x before 2.3.18, 3.1.x before 3.1.12, and 3.2.x before 3.2.13 processes certain queries by converting hash keys to symbols, which allows remote attackers to cause a denial of service via crafted input to a where method. | |||||
| CVE-2011-0447 | 1 Rubyonrails | 1 Rails | 2025-04-11 | 6.8 MEDIUM | N/A |
| Ruby on Rails 2.1.x, 2.2.x, and 2.3.x before 2.3.11, and 3.x before 3.0.4, does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged (1) AJAX or (2) API requests that leverage "combinations of browser plugins and HTTP redirects," a related issue to CVE-2011-0696. | |||||
| CVE-2012-3464 | 1 Rubyonrails | 2 Rails, Ruby On Rails | 2025-04-11 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 might allow remote attackers to inject arbitrary web script or HTML via vectors involving a ' (quote) character. | |||||
| CVE-2012-1099 | 1 Rubyonrails | 2 Rails, Ruby On Rails | 2025-04-11 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_options_helper.rb in the select helper in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving certain generation of OPTION elements within SELECT elements. | |||||
| CVE-2013-3221 | 1 Rubyonrails | 2 Rails, Ruby On Rails | 2025-04-11 | 6.4 MEDIUM | N/A |
| The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, and 3.2.x does not ensure that the declared data type of a database column is used during comparisons of input values to stored values in that column, which makes it easier for remote attackers to conduct data-type injection attacks against Ruby on Rails applications via a crafted value, as demonstrated by unintended interaction between the "typed XML" feature and a MySQL database. | |||||