Vulnerabilities > Rubyonrails

DATE CVE VULNERABILITY TITLE RISK
2012-06-22 CVE-2012-2694 Permissions, Privileges, and Access Controls vulnerability in Rubyonrails Rails and Ruby ON Rails
actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain "['xyz', nil]" values, a related issue to CVE-2012-2660.
4.3
2012-06-22 CVE-2012-2661 SQL Injection vulnerability in Rubyonrails Rails and Ruby ON Rails
The Active Record component in Ruby on Rails 3.0.x before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage unintended recursion, a related issue to CVE-2012-2695.
network
low complexity
rubyonrails CWE-89
5.0
2012-06-22 CVE-2012-2660 Permissions, Privileges, and Access Controls vulnerability in Rubyonrails Rails and Ruby ON Rails
actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2694.
network
low complexity
rubyonrails CWE-264
6.4
2012-03-13 CVE-2012-1099 Cross-Site Scripting vulnerability in Rubyonrails Rails and Ruby ON Rails
Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_options_helper.rb in the select helper in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving certain generation of OPTION elements within SELECT elements.
4.3
2012-03-13 CVE-2012-1098 Cross-Site Scripting vulnerability in Rubyonrails Rails and Ruby ON Rails
Cross-site scripting (XSS) vulnerability in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving a SafeBuffer object that is manipulated through certain methods.
4.3
2011-11-28 CVE-2011-4319 Cross-Site Scripting vulnerability in Rubyonrails Rails and Ruby ON Rails
Cross-site scripting (XSS) vulnerability in the i18n translations helper method in Ruby on Rails 3.0.x before 3.0.11 and 3.1.x before 3.1.2, and the rails_xss plugin in Ruby on Rails 2.3.x, allows remote attackers to inject arbitrary web script or HTML via vectors related to a translations string whose name ends with an "html" substring.
4.3
2011-08-29 CVE-2011-3187 Improper Input Validation vulnerability in Rubyonrails Rails 3.0.5
The to_s method in actionpack/lib/action_dispatch/middleware/remote_ip.rb in Ruby on Rails 3.0.5 does not validate the X-Forwarded-For header in requests from IP addresses on a Class C network, which might allow remote attackers to inject arbitrary text into log files or bypass intended address parsing via a crafted header.
4.3
2011-08-29 CVE-2011-3186 Code Injection vulnerability in Rubyonrails Rails
CRLF injection vulnerability in actionpack/lib/action_controller/response.rb in Ruby on Rails 2.3.x before 2.3.13 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the Content-Type header.
4.3
2011-08-29 CVE-2011-2932 Cross-Site Scripting vulnerability in Rubyonrails Rails and Ruby ON Rails
Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails 2.x before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a malformed Unicode string, related to a "UTF-8 escaping vulnerability."
4.3
2011-08-29 CVE-2011-2931 Cross-Site Scripting vulnerability in Rubyonrails Rails and Ruby ON Rails
Cross-site scripting (XSS) vulnerability in the strip_tags helper in actionpack/lib/action_controller/vendor/html-scanner/html/node.rb in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a tag with an invalid name.
4.3