VYPR

Ruby on Rails

by Rubyonrails

Source repositories

CVEs (52)

  • CVE-2009-2422CriJul 10, 2009
    risk 0.64cvss 9.8epss 0.03

    The example code for the digest authentication functionality (http_authentication.rb) in Ruby on Rails before 2.3.3 defines an authenticate_or_request_with_http_digest block that returns nil instead of false when the user does not exist, which allows context-dependent attackers…

  • CVE-2016-2098HigApr 7, 2016
    risk 0.57cvss 7.3epss 0.81

    Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method.

  • CVE-2017-17920HigDec 29, 2017
    risk 0.53cvss 8.1epss 0.02

    SQL injection vulnerability in the 'reorder' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'name' parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for…

  • CVE-2017-17919HigDec 29, 2017
    risk 0.53cvss 8.1epss 0.02

    SQL injection vulnerability in the 'order' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'id desc' parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for…

  • CVE-2017-17917HigDec 29, 2017
    risk 0.53cvss 8.1epss 0.02

    SQL injection vulnerability in the 'where' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'id' parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use…

  • CVE-2017-17916HigDec 29, 2017
    risk 0.53cvss 8.1epss 0.02

    SQL injection vulnerability in the 'find_by' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'name' parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for…

  • CVE-2016-0751HigFeb 16, 2016
    risk 0.43cvss 7.5epss 0.10

    actionpack/lib/action_dispatch/http/mime_type.rb in Action Pack in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly restrict use of the MIME type cache, which allows remote attackers to cause a…

  • CVE-2016-6316MedSep 7, 2016
    risk 0.40cvss 6.1epss 0.03

    Cross-site scripting (XSS) vulnerability in Action View in Ruby on Rails 3.x before 3.2.22.3, 4.x before 4.2.7.1, and 5.x before 5.0.0.1 might allow remote attackers to inject arbitrary web script or HTML via text declared as "HTML safe" and used as attribute values in tag…

  • CVE-2015-7577MedFeb 16, 2016
    risk 0.35cvss 5.3epss 0.04

    activerecord/lib/active_record/nested_attributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote…

  • CVE-2016-2097MedApr 7, 2016
    risk 0.28cvss 5.3epss 0.04

    Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.2 and 4.x before 4.1.14.2 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname. NOTE: this…

  • CVE-2015-7576LowFeb 16, 2016
    risk 0.17cvss 3.7epss 0.05

    The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before…

  • CVE-2013-0333Jan 30, 2013
    risk 0.11cvss epss 0.99

    lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or…

  • CVE-2013-0156Jan 13, 2013
    risk 0.11cvss epss 0.99

    active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute…

  • CVE-2013-6414Dec 7, 2013
    risk 0.05cvss epss 0.21

    actionpack/lib/action_view/lookup_context.rb in Action View in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to cause a denial of service (memory consumption) via a header containing an invalid MIME type that leads to excessive caching.

  • CVE-2013-0277Feb 13, 2013
    risk 0.01cvss epss 0.07

    ActiveRecord in Ruby on Rails before 2.3.17 and 3.x before 3.1.0 allows remote attackers to cause a denial of service or execute arbitrary code via crafted serialized attributes that cause the +serialize+ helper to deserialize arbitrary YAML.

  • CVE-2010-3299Nov 12, 2019
    risk 0.00cvss epss 0.01

    The encrypt/decrypt functions in Ruby on Rails 2.3 are vulnerable to padding oracle attacks.

  • CVE-2015-3226Jul 26, 2015
    risk 0.00cvss epss 0.03

    Cross-site scripting (XSS) vulnerability in json/encoding.rb in Active Support in Ruby on Rails 3.x and 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted Hash that is mishandled during JSON encoding.

  • CVE-2014-7829Nov 18, 2014
    risk 0.00cvss epss 0.04

    Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.21, 4.0.x before 4.0.12, 4.1.x before 4.1.8, and 4.2.x before 4.2.0.beta4, when serve_static_assets is enabled, allows remote attackers to…

  • CVE-2014-7818Nov 8, 2014
    risk 0.00cvss epss 0.03

    Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and 4.2.x before 4.2.0.beta3, when serve_static_assets is enabled, allows remote attackers to…

  • CVE-2014-3482Jul 7, 2014
    risk 0.00cvss epss 0.04

    SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 2.x and 3.x before 3.2.19 allows remote attackers to execute arbitrary SQL commands by leveraging improper…

Page 1 of 3