RubyGems package
rails
pkg:gem/rails
Vulnerabilities (11)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-26143 | — | >= 7.0.0, < 7.0.8.1 | 7.0.8.1 | Feb 27, 2024 | Rails is a web-application framework. There is a possible XSS vulnerability when using the translation helpers in Action Controller. Applications using translation methods like translate, or t on a controller, with a key ending in "_html", a :default key which contains untrusted | ||
| CVE-2014-0081 | — | >= 3.0.0, < 3.2.17 | 3.2.17 | Feb 20, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negati | ||
| CVE-2009-4214 | — | < 2.2.2 | 2.2.2 | Dec 7, 2009 | Cross-site scripting (XSS) vulnerability in the strip_tags function in Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote attackers to inject arbitrary web script or HTML via vectors involving non-printing ASCII characters, related to HTML::Tokenizer and actionpack | ||
| CVE-2009-2422 | Cri | 9.8 | < 2.3.3 | 2.3.3 | Jul 10, 2009 | The example code for the digest authentication functionality (http_authentication.rb) in Ruby on Rails before 2.3.3 defines an authenticate_or_request_with_http_digest block that returns nil instead of false when the user does not exist, which allows context-dependent attackers t | |
| CVE-2008-5189 | — | < 2.0.5 | 2.0.5 | Nov 21, 2008 | CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL to the redirect_to function. | ||
| CVE-2007-6077 | — | < 1.2.6 | 1.2.6 | Nov 21, 2007 | The session fixation protection mechanism in cgi_process.rb in Rails 1.2.4, as used in Ruby on Rails, removes the :cookie_only attribute from the DEFAULT_SESSION_OPTIONS constant, which effectively causes cookie_only to be applied only to the first instantiation of CgiRequest, wh | ||
| CVE-2007-5380 | — | < 1.2.4 | 1.2.4 | Oct 19, 2007 | Session fixation vulnerability in Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers to hijack web sessions via unspecified vectors related to "URL-based sessions." | ||
| CVE-2007-5379 | — | < 1.2.4 | 1.2.4 | Oct 19, 2007 | Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers and ActiveResource servers to determine the existence of arbitrary files and read arbitrary XML files via the Hash.from_xml (Hash#from_xml) method, which uses XmlSimple (XML::Simple) unsafely, as demonstrated | ||
| CVE-2007-3227 | — | < 1.2.5 | 1.2.5 | Jun 14, 2007 | Cross-site scripting (XSS) vulnerability in the to_json (ActiveRecord::Base#to_json) function in Ruby on Rails before edge 9606 allows remote attackers to inject arbitrary web script via the input values. | ||
| CVE-2006-4112 | — | >= 1.1.0, < 1.1.6 | 1.1.6 | Aug 14, 2006 | Unspecified vulnerability in the "dependency resolution mechanism" in Ruby on Rails 1.1.0 through 1.1.5 allows remote attackers to execute arbitrary Ruby code via a URL that is not properly handled in the routing code, which leads to a denial of service (application hang) or "dat | ||
| CVE-2006-4111 | — | >= 1.1.0, < 1.1.6 | 1.1.6 | Aug 14, 2006 | Ruby on Rails before 1.1.5 allows remote attackers to execute Ruby code with "severe" or "serious" impact via a File Upload request with an HTTP header that modifies the LOAD_PATH variable, a different vulnerability than CVE-2006-4112. |
- CVE-2024-26143Feb 27, 2024affected >= 7.0.0, < 7.0.8.1fixed 7.0.8.1
Rails is a web-application framework. There is a possible XSS vulnerability when using the translation helpers in Action Controller. Applications using translation methods like translate, or t on a controller, with a key ending in "_html", a :default key which contains untrusted
- CVE-2014-0081Feb 20, 2014affected >= 3.0.0, < 3.2.17fixed 3.2.17
Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negati
- CVE-2009-4214Dec 7, 2009affected < 2.2.2fixed 2.2.2
Cross-site scripting (XSS) vulnerability in the strip_tags function in Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote attackers to inject arbitrary web script or HTML via vectors involving non-printing ASCII characters, related to HTML::Tokenizer and actionpack
- affected < 2.3.3fixed 2.3.3
The example code for the digest authentication functionality (http_authentication.rb) in Ruby on Rails before 2.3.3 defines an authenticate_or_request_with_http_digest block that returns nil instead of false when the user does not exist, which allows context-dependent attackers t
- CVE-2008-5189Nov 21, 2008affected < 2.0.5fixed 2.0.5
CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL to the redirect_to function.
- CVE-2007-6077Nov 21, 2007affected < 1.2.6fixed 1.2.6
The session fixation protection mechanism in cgi_process.rb in Rails 1.2.4, as used in Ruby on Rails, removes the :cookie_only attribute from the DEFAULT_SESSION_OPTIONS constant, which effectively causes cookie_only to be applied only to the first instantiation of CgiRequest, wh
- CVE-2007-5380Oct 19, 2007affected < 1.2.4fixed 1.2.4
Session fixation vulnerability in Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers to hijack web sessions via unspecified vectors related to "URL-based sessions."
- CVE-2007-5379Oct 19, 2007affected < 1.2.4fixed 1.2.4
Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers and ActiveResource servers to determine the existence of arbitrary files and read arbitrary XML files via the Hash.from_xml (Hash#from_xml) method, which uses XmlSimple (XML::Simple) unsafely, as demonstrated
- CVE-2007-3227Jun 14, 2007affected < 1.2.5fixed 1.2.5
Cross-site scripting (XSS) vulnerability in the to_json (ActiveRecord::Base#to_json) function in Ruby on Rails before edge 9606 allows remote attackers to inject arbitrary web script via the input values.
- CVE-2006-4112Aug 14, 2006affected >= 1.1.0, < 1.1.6fixed 1.1.6
Unspecified vulnerability in the "dependency resolution mechanism" in Ruby on Rails 1.1.0 through 1.1.5 allows remote attackers to execute arbitrary Ruby code via a URL that is not properly handled in the routing code, which leads to a denial of service (application hang) or "dat
- CVE-2006-4111Aug 14, 2006affected >= 1.1.0, < 1.1.6fixed 1.1.6
Ruby on Rails before 1.1.5 allows remote attackers to execute Ruby code with "severe" or "serious" impact via a File Upload request with an HTTP header that modifies the LOAD_PATH variable, a different vulnerability than CVE-2006-4112.