5 matches found
CVE-2014-3514
activerecord/lib/activerecord/relation/querymethods.rb in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection mechanism via crafted input to an application that makes createwith calls...
Design/Logic Flaw
activerecord/lib/activerecord/relation/querymethods.rb in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection mechanism via crafted input to an application that makes createwith calls...
CVE-2014-3514
The CVE-2014-3514 entry concerns ActiveRecord in Ruby on Rails (Rails 4.0.x prior to 4.0.9 and 4.1.x prior to 4.1.5). The underlying issue is a bypass of strong parameters protection via crafted input to create_with calls, enabling remote attackers to bypass parameter filtering. Documented refere...
Strong Parameter bypass with create_with
The createwith functionality in Active Record was implemented incorrectly and completely bypasses the strong parameter protection...
Data Injection Vulnerability in Active Record
The createwith functionality in Active Record was implemented incorrectly and completely bypasses the strong parameters protection. Applications which pass user-controlled values to createwith could allow attackers to set arbitrary attributes on models...