RubyGems package

actionpack

pkg:gem/actionpack

Vulnerabilities (63)

CVE	CVSS	Affected versions	Fixed in	Published	Description
CVE-2008-7248	—	>= 2.1.0, < 2.1.3	2.1.3	Dec 16, 2009	Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify tokens for requests with certain content types, which allows remote attackers to bypass cross-site request forgery (CSRF) protection for requests to applications that rely on this protection, as demonstrated us
CVE-2009-3086	—	>= 2.1.0, < 2.2.3	2.2.3	Sep 8, 2009	A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x before 2.3.4, leaks information about the complexity of message-digest signature verification in the cookie store, which might allow remote attackers to forge a digest via multiple attempts.
CVE-2009-3009	—	>= 2.0.0, < 2.2.3	2.2.3	Sep 8, 2009	Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings into a form helper.

CVE-2008-7248Dec 16, 2009
affected >= 2.1.0, < 2.1.3fixed 2.1.3
Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify tokens for requests with certain content types, which allows remote attackers to bypass cross-site request forgery (CSRF) protection for requests to applications that rely on this protection, as demonstrated us
CVE-2009-3086Sep 8, 2009
affected >= 2.1.0, < 2.2.3fixed 2.2.3
A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x before 2.3.4, leaks information about the complexity of message-digest signature verification in the cookie store, which might allow remote attackers to forge a digest via multiple attempts.
CVE-2009-3009Sep 8, 2009
affected >= 2.0.0, < 2.2.3fixed 2.2.3
Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings into a form helper.

Page 4 of 4