Vulnerabilities > Rubyonrails > Ruby ON Rails
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2017-12-29 | CVE-2017-17920 | SQL Injection vulnerability in Rubyonrails Ruby on Rails SQL injection vulnerability in the 'reorder' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'name' parameter. | 8.1 |
| 2017-12-29 | CVE-2017-17919 | SQL Injection vulnerability in Rubyonrails Ruby on Rails SQL injection vulnerability in the 'order' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'id desc' parameter. | 8.1 |
| 2016-09-07 | CVE-2016-6316 | Cross-site Scripting vulnerability in multiple products Cross-site scripting (XSS) vulnerability in Action View in Ruby on Rails 3.x before 3.2.22.3, 4.x before 4.2.7.1, and 5.x before 5.0.0.1 might allow remote attackers to inject arbitrary web script or HTML via text declared as "HTML safe" and used as attribute values in tag handlers. | 6.1 |
| 2016-04-07 | CVE-2016-2098 | Improper Input Validation vulnerability in multiple products Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method. | 7.5 |
| 2016-04-07 | CVE-2016-2097 | Path Traversal vulnerability in Rubyonrails Rails and Ruby ON Rails Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.2 and 4.x before 4.1.14.2 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. | 5.0 |
| 2016-02-16 | CVE-2016-0752 | Path Traversal vulnerability in Rubyonrails Rails and Ruby ON Rails Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. | 5.0 |
| 2016-02-16 | CVE-2016-0751 | Resource Management Errors vulnerability in Rubyonrails Rails and Ruby ON Rails actionpack/lib/action_dispatch/http/mime_type.rb in Action Pack in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly restrict use of the MIME type cache, which allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP Accept header. | 5.0 |
| 2016-02-16 | CVE-2015-7577 | Improper Access Control vulnerability in Rubyonrails Rails and Ruby ON Rails activerecord/lib/active_record/nested_attributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote attackers to bypass intended change restrictions by leveraging use of the nested attributes feature. | 5.0 |
| 2016-02-16 | CVE-2015-7576 | 7PK - Security Features vulnerability in Rubyonrails Rails and Ruby ON Rails The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences. | 4.3 |
| 2015-07-26 | CVE-2015-3226 | Cross-site Scripting vulnerability in Rubyonrails Rails and Ruby ON Rails Cross-site scripting (XSS) vulnerability in json/encoding.rb in Active Support in Ruby on Rails 3.x and 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted Hash that is mishandled during JSON encoding. | 4.3 |