Vulnerabilities > Rubyonrails

DATE CVE VULNERABILITY TITLE RISK
2020-07-02 CVE-2020-8163 Code Injection vulnerability in multiple products
The is a code injection vulnerability in versions of Rails prior to 5.0.1 that wouldallow an attacker who controlled the `locals` argument of a `render` call to perform a RCE.
network
low complexity
rubyonrails debian CWE-94
8.8
2020-06-19 CVE-2020-8167 Cross-Site Request Forgery (CSRF) vulnerability in multiple products
A CSRF vulnerability exists in rails <= 6.0.3 rails-ujs module that could allow attackers to send CSRF tokens to wrong domains.
network
low complexity
rubyonrails debian CWE-352
6.5
2020-06-19 CVE-2020-8165 Deserialization of Untrusted Data vulnerability in multiple products
A deserialization of untrusted data vulnernerability exists in rails < 5.2.4.3, rails < 6.0.3.1 that can allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore potentially resulting in an RCE.
network
low complexity
rubyonrails debian opensuse CWE-502
critical
9.8
2020-06-19 CVE-2020-8164 Deserialization of Untrusted Data vulnerability in multiple products
A deserialization of untrusted data vulnerability exists in rails < 5.2.4.3, rails < 6.0.3.1 which can allow an attacker to supply information can be inadvertently leaked fromStrong Parameters.
network
low complexity
rubyonrails debian opensuse CWE-502
7.5
2020-06-19 CVE-2020-8162 Unrestricted Upload of File with Dangerous Type vulnerability in multiple products
A client side enforcement of server side security vulnerability exists in rails < 5.2.4.2 and rails < 6.0.3.1 ActiveStorage's S3 adapter that allows the Content-Length of a direct file upload to be modified by an end user bypassing upload limits.
network
low complexity
rubyonrails debian CWE-434
7.5
2020-05-12 CVE-2020-8159 Path Traversal vulnerability in multiple products
There is a vulnerability in actionpack_page-caching gem < v1.2.1 that allows an attacker to write arbitrary files to a web server, potentially resulting in remote code execution if the attacker can write unescaped ERB to a view.
network
low complexity
rubyonrails debian CWE-22
critical
9.8
2020-05-12 CVE-2020-8151 Incorrect Authorization vulnerability in multiple products
There is a possible information disclosure issue in Active Resource <v5.1.1 that could allow an attacker to create specially crafted requests to access data in an unexpected way and possibly leak information.
network
low complexity
rubyonrails fedoraproject CWE-863
7.5
2020-03-19 CVE-2020-5267 In ActionView before versions 6.0.2.2 and 5.2.4.2, there is a possible XSS vulnerability in ActionView's JavaScript literal escape helpers.
network
low complexity
rubyonrails debian fedoraproject opensuse
4.8
2019-11-12 CVE-2010-3299 Missing Encryption of Sensitive Data vulnerability in multiple products
The encrypt/decrypt functions in Ruby on Rails 2.3 are vulnerable to padding oracle attacks.
network
low complexity
rubyonrails debian CWE-311
6.5
2019-03-27 CVE-2019-5420 Use of Insufficiently Random Values vulnerability in multiple products
A remote code execution vulnerability in development mode Rails <5.2.2.1, <6.0.0.beta3 can allow an attacker to guess the automatically generated development mode secret token.
network
low complexity
rubyonrails debian fedoraproject CWE-330
critical
9.8