Vulnerabilities > Rubyonrails

DATE CVE VULNERABILITY TITLE RISK
2021-01-06 CVE-2020-8264 Cross-Site Scripting vulnerability in Rubyonrails Rails
In actionpack gem >= 6.0.0, a possible XSS vulnerability exists when an application is running in development mode allowing an attacker to send or embed (in another page) a specially crafted URL which can allow the attacker to execute JavaScript in the context of the local application.
4.3
2020-07-02 CVE-2020-8185 Resource Exhaustion vulnerability in Rubyonrails Rails
A denial of service vulnerability exists in Rails <6.0.3.2 that allowed an untrusted user to run any pending migrations on a Rails app running in production.
network
low complexity
rubyonrails CWE-400
4.0
2020-07-02 CVE-2020-8166 Cross-Site Request Forgery (CSRF) vulnerability in multiple products
A CSRF forgery vulnerability exists in rails < 5.2.5, rails < 6.0.4 that makes it possible for an attacker to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token.
4.3
2020-07-02 CVE-2020-8163 Code Injection vulnerability in multiple products
The is a code injection vulnerability in versions of Rails prior to 5.0.1 that wouldallow an attacker who controlled the `locals` argument of a `render` call to perform a RCE.
network
low complexity
rubyonrails debian CWE-94
6.5
2020-06-19 CVE-2020-8167 Cross-Site Request Forgery (CSRF) vulnerability in Rubyonrails Rails
A CSRF vulnerability exists in rails <= 6.0.3 rails-ujs module that could allow attackers to send CSRF tokens to wrong domains.
4.3
2020-06-19 CVE-2020-8165 Deserialization of Untrusted Data vulnerability in multiple products
A deserialization of untrusted data vulnernerability exists in rails < 5.2.4.3, rails < 6.0.3.1 that can allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore potentially resulting in an RCE.
network
low complexity
rubyonrails debian CWE-502
7.5
2020-06-19 CVE-2020-8164 Deserialization of Untrusted Data vulnerability in multiple products
A deserialization of untrusted data vulnerability exists in rails < 5.2.4.3, rails < 6.0.3.1 which can allow an attacker to supply information can be inadvertently leaked fromStrong Parameters.
network
low complexity
rubyonrails debian CWE-502
5.0
2020-06-19 CVE-2020-8162 Unrestricted Upload of File With Dangerous Type vulnerability in Rubyonrails Rails
A client side enforcement of server side security vulnerability exists in rails < 5.2.4.2 and rails < 6.0.3.1 ActiveStorage's S3 adapter that allows the Content-Length of a direct file upload to be modified by an end user bypassing upload limits.
network
low complexity
rubyonrails CWE-434
5.0
2020-05-12 CVE-2020-8159 Path Traversal vulnerability in Rubyonrails Actionpack Page-Caching
There is a vulnerability in actionpack_page-caching gem < v1.2.1 that allows an attacker to write arbitrary files to a web server, potentially resulting in remote code execution if the attacker can write unescaped ERB to a view.
network
low complexity
rubyonrails CWE-22
7.5
2020-05-12 CVE-2020-8151 Information Exposure vulnerability in Rubyonrails Active Resource
There is a possible information disclosure issue in Active Resource <v5.1.1 that could allow an attacker to create specially crafted requests to access data in an unexpected way and possibly leak information.
network
low complexity
rubyonrails CWE-200
5.0