Vulnerabilities > Rubyonrails > Rails > Medium

DATE CVE VULNERABILITY TITLE RISK
2021-06-11 CVE-2021-22903 Open Redirect vulnerability in Rubyonrails Rails
The actionpack ruby gem before 6.1.3.2 suffers from a possible open redirect vulnerability.
network
low complexity
rubyonrails CWE-601
6.1
2021-02-11 CVE-2021-22881 Open Redirect vulnerability in multiple products
The Host Authorization middleware in Action Pack before 6.1.2.1, 6.0.3.5 suffers from an open redirect vulnerability.
network
low complexity
rubyonrails fedoraproject CWE-601
6.1
2021-01-06 CVE-2020-8264 Cross-site Scripting vulnerability in Rubyonrails Rails
In actionpack gem >= 6.0.0, a possible XSS vulnerability exists when an application is running in development mode allowing an attacker to send or embed (in another page) a specially crafted URL which can allow the attacker to execute JavaScript in the context of the local application.
network
low complexity
rubyonrails CWE-79
6.1
2020-07-02 CVE-2020-8185 Resource Exhaustion vulnerability in multiple products
A denial of service vulnerability exists in Rails <6.0.3.2 that allowed an untrusted user to run any pending migrations on a Rails app running in production.
network
low complexity
rubyonrails fedoraproject CWE-400
6.5
2020-07-02 CVE-2020-8166 Cross-Site Request Forgery (CSRF) vulnerability in multiple products
A CSRF forgery vulnerability exists in rails < 5.2.5, rails < 6.0.4 that makes it possible for an attacker to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token.
network
low complexity
rubyonrails debian CWE-352
4.3
2020-06-19 CVE-2020-8167 Cross-Site Request Forgery (CSRF) vulnerability in multiple products
A CSRF vulnerability exists in rails <= 6.0.3 rails-ujs module that could allow attackers to send CSRF tokens to wrong domains.
network
low complexity
rubyonrails debian CWE-352
6.5
2019-11-12 CVE-2010-3299 Missing Encryption of Sensitive Data vulnerability in multiple products
The encrypt/decrypt functions in Ruby on Rails 2.3 are vulnerable to padding oracle attacks.
network
low complexity
rubyonrails debian CWE-311
6.5
2018-11-30 CVE-2018-16477 Unspecified vulnerability in Rubyonrails Rails 5.2.0/5.2.1
A bypass vulnerability in Active Storage >= 5.2.0 for Google Cloud Storage and Disk services allow an attacker to modify the `content-disposition` and `content-type` parameters which can be used in with HTML files and have them executed inline.
network
low complexity
rubyonrails
6.5
2016-09-07 CVE-2016-6316 Cross-site Scripting vulnerability in multiple products
Cross-site scripting (XSS) vulnerability in Action View in Ruby on Rails 3.x before 3.2.22.3, 4.x before 4.2.7.1, and 5.x before 5.0.0.1 might allow remote attackers to inject arbitrary web script or HTML via text declared as "HTML safe" and used as attribute values in tag handlers.
network
low complexity
rubyonrails debian CWE-79
6.1
2016-04-07 CVE-2016-2097 Path Traversal vulnerability in Rubyonrails Ruby on Rails
Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.2 and 4.x before 4.1.14.2 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a ..
network
low complexity
rubyonrails CWE-22
5.3