RubyGems package
activerecord
pkg:gem/activerecord
Vulnerabilities (23)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2011-0448 | — | >= 3.0.0, < 3.0.4 | 3.0.4 | Feb 21, 2011 | Ruby on Rails 3.0.x before 3.0.4 does not ensure that arguments to the limit function specify integer values, which makes it easier for remote attackers to conduct SQL injection attacks via a non-numeric argument. | ||
| CVE-2010-3933 | — | >= 2.3.9, < 2.3.10 | 2.3.10 | Oct 28, 2010 | Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs. | ||
| CVE-2008-4094 | — | < 2.1.1 | 2.1.1 | Sep 30, 2008 | Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer. |
- CVE-2011-0448Feb 21, 2011affected >= 3.0.0, < 3.0.4fixed 3.0.4
Ruby on Rails 3.0.x before 3.0.4 does not ensure that arguments to the limit function specify integer values, which makes it easier for remote attackers to conduct SQL injection attacks via a non-numeric argument.
- CVE-2010-3933Oct 28, 2010affected >= 2.3.9, < 2.3.10fixed 2.3.10
Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs.
- CVE-2008-4094Sep 30, 2008affected < 2.1.1fixed 2.1.1
Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer.
Page 2 of 2