Vulnerabilities (CVE)

Vendor filter

Rubyonrails Subscribe

Product filter

Ruby On Rails Subscribe

Filter

77 total CVE
CVE Vendors Products Updated CVSS
CVE-2013-1854 2 Rubyonrails, Redhat 2 Enterprise Linux, Ruby On Rails 2019-04-22 5.0
The Active Record component in Ruby on Rails 2.3.x before 2.3.18, 3.1.x before 3.1.12, and 3.2.x before 3.2.13 processes certain queries by converting hash keys to symbols, which allows remote attackers to cause a denial of service via crafted...
CVE-2013-1855 2 Rubyonrails, Redhat 2 Enterprise Linux, Ruby On Rails 2019-04-22 4.3
The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle \n (newline)...
CVE-2013-1857 2 Rubyonrails, Redhat 2 Enterprise Linux, Ruby On Rails 2019-04-22 4.3
The sanitize helper in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle encoded : (colon)...
CVE-2014-7819 2 Rubyonrails, Sprockets Project 2 Ruby On Rails, Sprockets 2018-12-18 5.0
Multiple directory traversal vulnerabilities in server.rb in Sprockets before 2.0.5, 2.1.x before 2.1.4, 2.2.x before 2.2.3, 2.3.x before 2.3.3, 2.4.x before 2.4.6, 2.5.x before 2.5.1, 2.6.x and 2.7.x before 2.7.1, 2.8.x before 2.8.3, 2.9.x...
CVE-2013-0156 2 Rubyonrails, Debian 3 Rails, Ruby On Rails, Debian Linux 2018-12-06 7.5
active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct...
CVE-2013-0155 2 Rubyonrails, Debian 2 Ruby On Rails, Debian Linux 2018-12-06 6.4
Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass...
CVE-2014-0081 4 Opensuse Project, Rubyonrails, Redhat and 1 more 5 Enterprise Linux, Ruby On Rails, Opensuse and 2 more 2018-10-30 4.3
Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 allow remote attackers to inject arbitrary web script or...
CVE-2015-3227 3 Rubyonrails, Novell, Opensuse 3 Ruby On Rails, Opensuse, Opensuse 2018-10-30 5.0
The (1) jdom.rb and (2) rexml.rb components in Active Support in Ruby on Rails before 4.1.11 and 4.2.x before 4.2.2, when JDOM or REXML is enabled, allow remote attackers to cause a denial of service (SystemStackError) via a large XML document depth.
CVE-2014-7829 3 Rubyonrails, Novell, Opensuse 3 Ruby On Rails, Opensuse, Opensuse 2018-10-30 5.0
Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.21, 4.0.x before 4.0.12, 4.1.x before 4.1.8, and 4.2.x before 4.2.0.beta4, when serve_static_assets is...
CVE-2014-7818 3 Rubyonrails, Novell, Opensuse 3 Ruby On Rails, Opensuse, Opensuse 2018-10-30 4.3
Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and 4.2.x before 4.2.0.beta3, when serve_static_assets is...
CVE-2006-4112 1 Rubyonrails 1 Ruby On Rails 2018-10-17 7.5
Unspecified vulnerability in the "dependency resolution mechanism" in Ruby on Rails 1.1.0 through 1.1.5 allows remote attackers to execute arbitrary Ruby code via a URL that is not properly handled in the routing code, which leads to a denial of...
CVE-2016-6317 1 Rubyonrails 1 Ruby On Rails 2018-08-13 5.0
Action Record in Ruby on Rails 4.2.x before 4.2.7.1 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query...
CVE-2016-6316 2 Rubyonrails, Debian 2 Debian Linux, Ruby On Rails 2018-08-13 4.3
Cross-site scripting (XSS) vulnerability in Action View in Ruby on Rails 3.x before 3.2.22.3, 4.x before 4.2.7.1, and 5.x before 5.0.0.1 might allow remote attackers to inject arbitrary web script or HTML via text declared as "HTML safe" and used...
CVE-2012-1099 1 Rubyonrails 1 Ruby On Rails 2018-01-18 4.3
Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_options_helper.rb in the select helper in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject...
CVE-2017-17920 1 Rubyonrails 1 Ruby On Rails 2018-01-10 6.8
** DISPUTED ** SQL injection vulnerability in the 'reorder' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'name' parameter. NOTE: The vendor disputes this issue because the...
CVE-2017-17919 1 Rubyonrails 1 Ruby On Rails 2018-01-10 6.8
** DISPUTED ** SQL injection vulnerability in the 'order' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'id desc' parameter. NOTE: The vendor disputes this issue because the...
CVE-2017-17917 1 Rubyonrails 1 Ruby On Rails 2018-01-10 6.8
** DISPUTED ** SQL injection vulnerability in the 'where' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'id' parameter. NOTE: The vendor disputes this issue because the documentation...
CVE-2017-17916 1 Rubyonrails 1 Ruby On Rails 2018-01-10 6.8
** DISPUTED ** SQL injection vulnerability in the 'find_by' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'name' parameter. NOTE: The vendor disputes this issue because the...
CVE-2012-1098 1 Rubyonrails 1 Ruby On Rails 2018-01-10 4.3
Cross-site scripting (XSS) vulnerability in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving a SafeBuffer object that is manipulated...
CVE-2014-0082 1 Rubyonrails 1 Ruby On Rails 2017-12-09 5.0
actionpack/lib/action_view/template/text.rb in Action View in Ruby on Rails 3.x before 3.2.17 converts MIME type strings to symbols during use of the :text option to the render method, which allows remote attackers to cause a denial of service...