Vulnerabilities > Rubyonrails > Rails > 5.0.6
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2020-06-19 | CVE-2020-8162 | Unrestricted Upload of File with Dangerous Type vulnerability in multiple products A client side enforcement of server side security vulnerability exists in rails < 5.2.4.2 and rails < 6.0.3.1 ActiveStorage's S3 adapter that allows the Content-Length of a direct file upload to be modified by an end user bypassing upload limits. | 7.5 |
2019-03-27 | CVE-2019-5420 | Use of Insufficiently Random Values vulnerability in multiple products A remote code execution vulnerability in development mode Rails <5.2.2.1, <6.0.0.beta3 can allow an attacker to guess the automatically generated development mode secret token. | 9.8 |
2019-03-27 | CVE-2019-5419 | Allocation of Resources Without Limits or Throttling vulnerability in multiple products There is a possible denial of service vulnerability in Action View (Rails) <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 where specially crafted accept headers can cause action view to consume 100% cpu and make the server unresponsive. | 7.5 |
2019-03-27 | CVE-2019-5418 | There is a File Content Disclosure vulnerability in Action View <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 and v3 where specially crafted accept headers can cause contents of arbitrary files on the target system's filesystem to be exposed. | 7.5 |
2018-11-30 | CVE-2018-16476 | Deserialization of Untrusted Data vulnerability in multiple products A Broken Access Control vulnerability in Active Job versions >= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to information that they should not have. | 7.5 |
2017-12-29 | CVE-2017-17917 | SQL Injection vulnerability in Rubyonrails Rails SQL injection vulnerability in the 'where' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'id' parameter. | 8.1 |
2017-12-29 | CVE-2017-17916 | SQL Injection vulnerability in Rubyonrails Rails SQL injection vulnerability in the 'find_by' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'name' parameter. | 8.1 |