Vulnerabilities > Rubyonrails > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-06-19 | CVE-2020-8162 | Unrestricted Upload of File with Dangerous Type vulnerability in multiple products A client side enforcement of server side security vulnerability exists in rails < 5.2.4.2 and rails < 6.0.3.1 ActiveStorage's S3 adapter that allows the Content-Length of a direct file upload to be modified by an end user bypassing upload limits. | 7.5 |
| 2020-05-12 | CVE-2020-8151 | Incorrect Authorization vulnerability in multiple products There is a possible information disclosure issue in Active Resource <v5.1.1 that could allow an attacker to create specially crafted requests to access data in an unexpected way and possibly leak information. | 7.5 |
| 2019-03-27 | CVE-2019-5419 | Allocation of Resources Without Limits or Throttling vulnerability in multiple products There is a possible denial of service vulnerability in Action View (Rails) <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 where specially crafted accept headers can cause action view to consume 100% cpu and make the server unresponsive. | 7.5 |
| 2019-03-27 | CVE-2019-5418 | There is a File Content Disclosure vulnerability in Action View <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 and v3 where specially crafted accept headers can cause contents of arbitrary files on the target system's filesystem to be exposed. | 7.5 |
| 2018-11-30 | CVE-2018-16476 | Deserialization of Untrusted Data vulnerability in multiple products A Broken Access Control vulnerability in Active Job versions >= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to information that they should not have. | 7.5 |
| 2017-12-29 | CVE-2017-17920 | SQL Injection vulnerability in Rubyonrails Ruby on Rails SQL injection vulnerability in the 'reorder' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'name' parameter. | 8.1 |
| 2017-12-29 | CVE-2017-17919 | SQL Injection vulnerability in Rubyonrails Ruby on Rails SQL injection vulnerability in the 'order' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'id desc' parameter. | 8.1 |
| 2017-12-29 | CVE-2017-17917 | SQL Injection vulnerability in Rubyonrails Rails SQL injection vulnerability in the 'where' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'id' parameter. | 8.1 |
| 2017-12-29 | CVE-2017-17916 | SQL Injection vulnerability in Rubyonrails Rails SQL injection vulnerability in the 'find_by' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'name' parameter. | 8.1 |
| 2016-09-07 | CVE-2016-6317 | NULL Pointer Dereference vulnerability in Rubyonrails Rails Action Record in Ruby on Rails 4.2.x before 4.2.7.1 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660, CVE-2012-2694, and CVE-2013-0155. | 7.5 |