Filtered by vendor Rubyonrails
Subscribe
Total
137 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2013-6416 | 1 Rubyonrails | 1 Rails | 2019-08-08 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the simple_format helper in actionpack/lib/action_view/helpers/text_helper.rb in Ruby on Rails 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted HTML attribute. | |||||
| CVE-2015-7580 | 1 Rubyonrails | 2 Html Sanitizer, Rails | 2019-08-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in lib/rails/html/scrubbers.rb in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via a crafted CDATA node. | |||||
| CVE-2015-7579 | 1 Rubyonrails | 2 Html Sanitizer, Rails | 2019-08-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 1.0.2 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via an HTML entity that is mishandled by the Rails::Html::FullSanitizer class. | |||||
| CVE-2015-7578 | 1 Rubyonrails | 2 Html Sanitizer, Rails | 2019-08-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via crafted tag attributes. | |||||
| CVE-2010-3933 | 1 Rubyonrails | 1 Rails | 2019-08-08 | 6.4 MEDIUM | N/A |
| Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs. | |||||
| CVE-2009-4214 | 1 Rubyonrails | 2 Rails, Ruby On Rails | 2019-08-08 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the strip_tags function in Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote attackers to inject arbitrary web script or HTML via vectors involving non-printing ASCII characters, related to HTML::Tokenizer and actionpack/lib/action_controller/vendor/html-scanner/html/node.rb. | |||||
| CVE-2009-3009 | 1 Rubyonrails | 1 Rails | 2019-08-08 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings into a form helper. | |||||
| CVE-2008-5189 | 1 Rubyonrails | 2 Rails, Ruby On Rails | 2019-08-08 | 5.0 MEDIUM | N/A |
| CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL to the redirect_to function. | |||||
| CVE-2014-3916 | 1 Rubyonrails | 1 Rails | 2019-08-08 | 5.0 MEDIUM | N/A |
| The str_buf_cat function in string.c in Ruby 1.9.3, 2.0.0, and 2.1 allows context-dependent attackers to cause a denial of service (segmentation fault and crash) via a long string. | |||||
| CVE-2008-4094 | 1 Rubyonrails | 2 Rails, Ruby On Rails | 2019-08-08 | 7.5 HIGH | N/A |
| Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer. | |||||
| CVE-2006-4112 | 1 Rubyonrails | 1 Rails | 2019-08-08 | 7.5 HIGH | N/A |
| Unspecified vulnerability in the "dependency resolution mechanism" in Ruby on Rails 1.1.0 through 1.1.5 allows remote attackers to execute arbitrary Ruby code via a URL that is not properly handled in the routing code, which leads to a denial of service (application hang) or "data loss," a different vulnerability than CVE-2006-4111. | |||||
| CVE-2006-4111 | 1 Rubyonrails | 2 Rails, Ruby On Rails | 2019-08-08 | 7.5 HIGH | N/A |
| Ruby on Rails before 1.1.5 allows remote attackers to execute Ruby code with "severe" or "serious" impact via a File Upload request with an HTTP header that modifies the LOAD_PATH variable, a different vulnerability than CVE-2006-4112. | |||||
| CVE-2009-3086 | 1 Rubyonrails | 1 Rails | 2019-08-08 | 5.0 MEDIUM | N/A |
| A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x before 2.3.4, leaks information about the complexity of message-digest signature verification in the cookie store, which might allow remote attackers to forge a digest via multiple attempts. | |||||
| CVE-2011-3186 | 1 Rubyonrails | 1 Rails | 2019-08-08 | 4.3 MEDIUM | N/A |
| CRLF injection vulnerability in actionpack/lib/action_controller/response.rb in Ruby on Rails 2.3.x before 2.3.13 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the Content-Type header. | |||||
| CVE-2007-3227 | 1 Rubyonrails | 1 Rails | 2019-08-08 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the to_json (ActiveRecord::Base#to_json) function in Ruby on Rails before edge 9606 allows remote attackers to inject arbitrary web script via the input values. | |||||
| CVE-2015-1840 | 3 Fedoraproject, Opensuse, Rubyonrails | 4 Fedora, Opensuse, Jquery-rails and 1 more | 2018-10-30 | 5.0 MEDIUM | N/A |
| jquery_ujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 and rails.js in jquery-ujs before 1.0.4, as used with Ruby on Rails 3.x and 4.x, allow remote attackers to bypass the Same Origin Policy, and trigger transmission of a CSRF token to a different-domain web server, via a leading space character in a URL within an attribute value. | |||||
| CVE-2015-3224 | 1 Rubyonrails | 1 Web Console | 2016-12-03 | 4.3 MEDIUM | N/A |
| request.rb in Web Console before 2.1.3, as used with Ruby on Rails 3.x and 4.x, does not properly restrict the use of X-Forwarded-For headers in determining a client's IP address, which allows remote attackers to bypass the whitelisted_ips protection mechanism via a crafted request. | |||||