Vulnerabilities > Rubyonrails

DATE CVE VULNERABILITY TITLE RISK
2021-06-11 CVE-2021-22902 Unspecified vulnerability in Rubyonrails Rails
The actionpack ruby gem (a framework for handling and responding to web requests in Rails) before 6.0.3.7, 6.1.3.2 suffers from a possible denial of service vulnerability in the Mime type parser of Action Dispatch.
network
low complexity
rubyonrails
5.0
2021-06-11 CVE-2021-22903 Open Redirect vulnerability in Rubyonrails Rails
The actionpack ruby gem before 6.1.3.2 suffers from a possible open redirect vulnerability.
5.8
2021-06-11 CVE-2021-22904 Unspecified vulnerability in Rubyonrails Rails
The actionpack ruby gem before 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6 suffers from a possible denial of service vulnerability in the Token Authentication logic in Action Controller due to a too permissive regular expression.
network
low complexity
rubyonrails
5.0
2021-05-27 CVE-2021-22885 Information Exposure Through an Error Message vulnerability in Rubyonrails Actionpack Page-Caching and Rails
A possible information disclosure / unintended method execution vulnerability in Action Pack >= 2.0.0 when using the `redirect_to` or `polymorphic_url`helper with untrusted user input.
network
low complexity
rubyonrails CWE-209
5.0
2021-03-05 CVE-2019-25025 Unspecified vulnerability in Rubyonrails Active Record Session Store
The activerecord-session_store (aka Active Record Session Store) component through 1.1.3 for Ruby on Rails does not use a constant-time approach when delivering information about whether a guessed session ID is valid.
network
low complexity
rubyonrails
5.0
2021-02-11 CVE-2021-22881 Open Redirect vulnerability in multiple products
The Host Authorization middleware in Action Pack before 6.1.2.1, 6.0.3.5 suffers from an open redirect vulnerability.
5.8
2021-02-11 CVE-2021-22880 Resource Exhaustion vulnerability in multiple products
The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability.
network
low complexity
rubyonrails fedoraproject CWE-400
5.0
2021-01-06 CVE-2020-8264 Cross-site Scripting vulnerability in Rubyonrails Rails
In actionpack gem >= 6.0.0, a possible XSS vulnerability exists when an application is running in development mode allowing an attacker to send or embed (in another page) a specially crafted URL which can allow the attacker to execute JavaScript in the context of the local application.
4.3
2020-07-02 CVE-2020-8185 Resource Exhaustion vulnerability in Rubyonrails Rails
A denial of service vulnerability exists in Rails <6.0.3.2 that allowed an untrusted user to run any pending migrations on a Rails app running in production.
network
low complexity
rubyonrails CWE-400
4.0
2020-07-02 CVE-2020-8166 Cross-Site Request Forgery (CSRF) vulnerability in multiple products
A CSRF forgery vulnerability exists in rails < 5.2.5, rails < 6.0.4 that makes it possible for an attacker to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token.
4.3