21 matches found
PT-2026-27254
Action Pack is a Rubygem for building web applications on the Rails framework. In versions on the 8.1 branch prior to 8.1.2.1, the debug exceptions page does not properly escape exception messages. A carefully crafted exception message could inject arbitrary HTML and JavaScript into the page,...
CVE-2022-35956
This Rails gem adds two methods to the ActiveRecord::Base class that allow you to update many records on a single database hit, using a case sql statement for it. Before version 0.1.3 updatebycase gem used custom sql strings, and it was not sanitized, making it vulnerable to sql injection. Upgrad...
EUVD-2022-6465
Malicious code in bioql PyPI...
EUVD-2023-1057
Malicious code in bioql PyPI...
Google Sign-In for Rails allowed redirect to protocol-relative URI
Summary It is possible to redirect a user to another origin if the "proceedto" value in the session store is set to a protocol-relative URL. Details The googlesignin gem persists an optional URL for redirection after authentication. If this URL is set to a protocol-relative URL, it improperly...
GHSA-7PWC-WH6M-44Q3 Google Sign-In for Rails allowed redirects to malformed URLs
Summary It is possible to craft a malformed URL that passes the "same origin" check, resulting in the user being redirected to another origin. Details The googlesignin gem persists an optional URL for redirection after authentication. If this URL is malformed, it's possible for the user to be...
CVE-2015-2179
The xaviershay-dm-rails gem 0.10.3.8 for Ruby allows local users to discover MySQL credentials by listing a process and its arguments...
CVE-2015-2179
The CVE-2015-2179 issue affects the xaviershay-dm-rails gem for Ruby, version 0.10.3.8, where a flaw in the execute() function in /datamapper/dm-rails/blob/master/lib/dm-rails/storage.rb exposes sensitive information via the process table. This can allow local users to discover MySQL credentials ...
GHSA-M875-3XF6-MF78 unpoly-rails Denial of Service vulnerability
There is a possible Denial of Service DoS vulnerability in the unpoly-rails gem that implements the Unpoly server protocol for Rails applications. Impact This issues affects Rails applications that operate as an upstream of a load balancer's that uses passive health checks. The unpoly-rails gem...
CVE-2022-35956
This Rails gem adds two methods to the ActiveRecord::Base class that allow you to update many records on a single database hit, using a case sql statement for it. Before version 0.1.3 updatebycase gem used custom sql strings, and it was not sanitized, making it vulnerable to sql injection. Upgrad...
Sql injection
This Rails gem adds two methods to the ActiveRecord::Base class that allow you to update many records on a single database hit, using a case sql statement for it. Before version 0.1.3 updatebycase gem used custom sql strings, and it was not sanitized, making it vulnerable to sql injection. Upgrad...
CVE-2022-35956 update_by_case before 0.1.3 vulnerable to sql injection
This Rails gem adds two methods to the ActiveRecord::Base class that allow you to update many records on a single database hit, using a case sql statement for it. Before version 0.1.3 updatebycase gem used custom sql strings, and it was not sanitized, making it vulnerable to sql injection. Upgrad...
Open Redirect
Overview clearance is an authentication app for rails. Affected versions of this package are vulnerable to Open Redirect. The vulnerability can be possible when users are able to set the value of session:returnto. If the value used for returnto contains multiple leading slashes /////example.com t...
GHSA-W7Q9-XR2X-WH7X delayed_job_web Cross-site Scripting vulnerability
An exploitable cross site scripting XSS vulnerability exists in the filter functionality of the delayedjobweb rails gem versions 1.2.9 before 1.4.2. A specially crafted URL can cause an XSS flaw resulting in an attacker being able to execute arbitrary javascript on the victim's browser. An attack...
delayed_job_web Cross-site Scripting vulnerability
An exploitable cross site scripting XSS vulnerability exists in the filter functionality of the delayedjobweb rails gem versions 1.2.9 before 1.4.2. A specially crafted URL can cause an XSS flaw resulting in an attacker being able to execute arbitrary javascript on the victim's browser. An attack...
CVE-2017-12097
An exploitable cross site scripting XSS vulnerability exists in the filter functionality of the delayedjobweb rails gem version 1.4. A specially crafted URL can cause an XSS flaw resulting in an attacker being able to execute arbitrary javascript on the victim's browser. An attacker can phish an...
CVE-2017-12097
An exploitable cross site scripting XSS vulnerability exists in the filter functionality of the delayedjobweb rails gem version 1.4. A specially crafted URL can cause an XSS flaw resulting in an attacker being able to execute arbitrary javascript on the victim's browser. An attacker can phish an...
CVE-2017-12097
An exploitable cross site scripting XSS vulnerability exists in the filter functionality of the delayedjobweb rails gem version 1.4. A specially crafted URL can cause an XSS flaw resulting in an attacker being able to execute arbitrary javascript on the victim's browser. An attacker can phish an...
CVE-2017-12098
Removed by vendor...
PT-2018-5348 · Rails · Delayed Job Web
Name of the Vulnerable Software and Affected Versions: delayed job web rails gem versions 1.2.9 through 1.4 Description: An exploitable cross site scripting XSS issue exists in the filter functionality. A specially crafted URL can cause an XSS flaw, allowing an attacker to execute arbitrary...