Vulnerabilities > Rubyonrails > Ruby ON Rails > 1.2.1

DATE CVE VULNERABILITY TITLE RISK
2017-12-29 CVE-2017-17920 SQL Injection vulnerability in Rubyonrails Ruby on Rails
SQL injection vulnerability in the 'reorder' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'name' parameter.
network
high complexity
rubyonrails CWE-89
8.1
2017-12-29 CVE-2017-17919 SQL Injection vulnerability in Rubyonrails Ruby on Rails
SQL injection vulnerability in the 'order' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'id desc' parameter.
network
high complexity
rubyonrails CWE-89
8.1
2016-04-07 CVE-2016-2098 Improper Input Validation vulnerability in multiple products
Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method.
network
low complexity
debian rubyonrails CWE-20
7.5
2016-04-07 CVE-2016-2097 Path Traversal vulnerability in Rubyonrails Rails and Ruby ON Rails
Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.2 and 4.x before 4.1.14.2 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a ..
network
low complexity
rubyonrails CWE-22
5.0
2016-02-16 CVE-2016-0752 Path Traversal vulnerability in Rubyonrails Rails and Ruby ON Rails
Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a ..
network
low complexity
rubyonrails CWE-22
5.0
2016-02-16 CVE-2016-0751 Resource Management Errors vulnerability in Rubyonrails Rails and Ruby ON Rails
actionpack/lib/action_dispatch/http/mime_type.rb in Action Pack in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly restrict use of the MIME type cache, which allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP Accept header.
network
low complexity
rubyonrails CWE-399
5.0
2016-02-16 CVE-2015-7577 Improper Access Control vulnerability in Rubyonrails Rails and Ruby ON Rails
activerecord/lib/active_record/nested_attributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote attackers to bypass intended change restrictions by leveraging use of the nested attributes feature.
network
low complexity
rubyonrails CWE-284
5.0
2016-02-16 CVE-2015-7576 7PK - Security Features vulnerability in Rubyonrails Rails and Ruby ON Rails
The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences.
4.3
2014-02-20 CVE-2014-0082 Improper Input Validation vulnerability in Rubyonrails Rails and Ruby ON Rails
actionpack/lib/action_view/template/text.rb in Action View in Ruby on Rails 3.x before 3.2.17 converts MIME type strings to symbols during use of the :text option to the render method, which allows remote attackers to cause a denial of service (memory consumption) by including these strings in headers.
network
low complexity
rubyonrails CWE-20
5.0
2014-02-20 CVE-2014-0081 Cross-Site Scripting vulnerability in multiple products
Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage, or (c) number_to_human helper.
4.3