SUSE CVE-2015-3225

lib/rack/utils.rb in Rack before 1.5.4 and 1.6.x before 1.6.2, as used with Ruby on Rails 3.x and 4.x and other products, allows remote attackers to cause a denial of service SystemStackError via a request with a large parameter depth...

[SECURITY] [DLA 2763-1] ruby-kaminari security update

Debian LTS Advisory DLA-2763-1 [email protected] https://www.debian.org/lts/security/ Markus Koschany September 22, 2021 https://wiki.debian.org/LTS Package : ruby-kaminari Version : 0.17.0-3+deb9u1 CVE ID : CVE-2020-11082 Debian Bug : 961847 A security vulnerability has been found in...

actionmailer email address processing causes Denial of service

Multiple format string vulnerabilities in logsubscriber.rb files in the log subscriber component in Action Mailer in Ruby on Rails 3.x before 3.2.15 allow remote attackers to cause a denial of service via a crafted e-mail address that is improperly handled during construction of a log message...

CVE-2015-3226

CVE-2015-3226 is an XSS vulnerability in Active Support's JSON encoding (ActiveSupport::JSON.encode) where a Hash with user-controlled data is mishandled during JSON encoding, potentially injecting script/HTML when inserted into HTML. Affected are Ruby on Rails 3.x and 4.1.x before 4.1.11 and 4.2...

CVE-2015-1840

CVE-2015-1840 describes a CSRF/XSS-style risk in Rails tooling: jquery_ujs.js and rails.js could cause a CSRF token to be transmitted to a different-domain server when a URL attribute contains a leading space. This bypasses the Same Origin Policy under supported Rails setups (Rails 3.x/4.x with j...

[SECURITY] Fedora 21 Update: rubygem-jquery-rails-3.1.0-3.fc21

This gem provides jQuery and the jQuery-ujs driver for your Rails 3 application...

[SECURITY] Fedora 22 Update: rubygem-jquery-rails-3.1.0-3.fc22

This gem provides jQuery and the jQuery-ujs driver for your Rails 3 application...

CVE-2014-7819 rubygem-sprockets: arbitrary file existence disclosure

Multiple directory traversal vulnerabilities in server.rb in Sprockets before 2.0.5, 2.1.x before 2.1.4, 2.2.x before 2.2.3, 2.3.x before 2.3.3, 2.4.x before 2.4.6, 2.5.x before 2.5.1, 2.6.x and 2.7.x before 2.7.1, 2.8.x before 2.8.3, 2.9.x before 2.9.4, 2.10.x before 2.10.2, 2.11.x before 2.11.3...

CVE-2014-3482 rubygem-activerecord: SQL injection vulnerability in 'bitstring' quoting

SQL injection vulnerability in activerecord/lib/activerecord/connectionadapters/postgresqladapter.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 2.x and 3.x before 3.2.19 allows remote attackers to execute arbitrary SQL commands by leveraging improper bitstring quoting. It was...

CVE-2014-0082 rubygem-actionpack: Action View string handling denial of service

actionpack/lib/actionview/template/text.rb in Action View in Ruby on Rails 3.x before 3.2.17 converts MIME type strings to symbols during use of the :text option to the render method, which allows remote attackers to cause a denial of service memory consumption by including these strings in heade...

CVE-2013-4389

Multiple format string vulnerabilities in logsubscriber.rb files in the log subscriber component in Action Mailer in Ruby on Rails 3.x before 3.2.15 allow remote attackers to cause a denial of service via a crafted e-mail address that is improperly handled during construction of a log message...

CVE-2013-4389

Multiple format string vulnerabilities in logsubscriber.rb files in the log subscriber component in Action Mailer in Ruby on Rails 3.x before 3.2.15 allow remote attackers to cause a denial of service via a crafted e-mail address that is improperly handled during construction of a log message...

CVE-2013-4389

Multiple format string vulnerabilities in logsubscriber.rb files in the log subscriber component in Action Mailer in Ruby on Rails 3.x before 3.2.15 allow remote attackers to cause a denial of service via a crafted e-mail address that is improperly handled during construction of a log message...

CVE-2013-4389 rubygem-actionmailer: email address processing DoS

Multiple format string vulnerabilities in logsubscriber.rb files in the log subscriber component in Action Mailer in Ruby on Rails 3.x before 3.2.15 allow remote attackers to cause a denial of service via a crafted e-mail address that is improperly handled during construction of a log message...

CVE-2012-3463

Cross-site scripting XSS vulnerability in actionpack/lib/actionview/helpers/formtaghelper.rb in Ruby on Rails 3.x before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via the prompt field to the selecttag helper...

CVE-2012-3424 rubygem-actionpack: DoS vulnerability in authenticate_or_request_with_http_digest

The decodecredentials method in actionpack/lib/actioncontroller/metal/httpauthentication.rb in Ruby on Rails 3.x before 3.0.16, 3.1.x before 3.1.7, and 3.2.x before 3.2.7 converts Digest Authentication strings to symbols, which allows remote attackers to cause a denial of service by leveraging...

Dradis v2.6 - Tool for sharing information during security testing !

"Dradis is a tool for sharing information during security testing. While plenty of tools exist to help in the different stages of the test, not so many exist to share interesting information captured. When a team of testers is working on the same set of targets, having a common repository of...