CVE-2019-14282

The simplecaptcha2 gem 0.2.3 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party...

CVE-2019-13146

The fieldtest gem 0.3.0 for Ruby has unvalidated input. A method call that is expected to return a value from a certain set of inputs can be made to return any input, which can be dangerous depending on how applications use it. If an application treats arbitrary variants as trusted, this can lead...

XSS Vulnerability in Chartkick Ruby Gem

Chartkick is vulnerable to a cross-site scripting XSS attack if both the following conditions are met: Condition 1: It's used with ActiveSupport.escapehtmlentitiesinjson = false this is not the default for Rails OR used with a non-Rails framework like Sinatra. Condition 2: Untrusted data or optio...

GHSA-WW4X-RWQ6-QPGF OmniAuth Ruby gem Cross-site Request Forgery in request phase

The request phase of the OmniAuth Ruby gem 1.9.2 and earlier is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able ...

OmniAuth Ruby gem Cross-site Request Forgery in request phase

The request phase of the OmniAuth Ruby gem 1.9.2 and earlier is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able ...

rubygem-actionpack: render file directory traversal in Action View

A content disclosure flaw was found in rubygem-actionview. Specially crafted accept headers, in combination with calls to 'render file:', can cause arbitrary files on the target server to be rendered, disclosing the file contents. Code execution cannot be ruled out if the attacker is able to gain...

Cross site request forgery (csrf)

The request phase of the OmniAuth Ruby gem 1.9.1 and earlier is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able ...

CVE-2015-9284

The request phase of the OmniAuth Ruby gem 1.9.1 and earlier is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able ...

CVE-2015-9284

CVE-2015-9284 describes a CSRF vulnerability in the OAuth/OmniAuth request phase for the Ruby gem (1.9.1 and earlier) used with Rails. The issue allows a malicious actor to connect a secondary account without user intent, enabling sign-in as the user’s primary account. Affected component: OmniAut...

devise Time-of-check Time-of-use Race Condition vulnerability

Devise ruby gem before 4.6.0 when the lockable module is used is vulnerable to a time-of-check time-of-use TOCTOU race condition due to incrementfailedattempts within the Devise::Models::Lockable class not being concurrency safe...

GHSA-73RF-6MRF-759Q devise Time-of-check Time-of-use Race Condition vulnerability

Devise ruby gem before 4.6.0 when the lockable module is used is vulnerable to a time-of-check time-of-use TOCTOU race condition due to incrementfailedattempts within the Devise::Models::Lockable class not being concurrency safe...

Command injection

Vulnerability in FileUtils v0.7, Ruby Gem Fileutils = v0.7 Command Injection vulnerability in user supplied url variable that is passed to the shell...

CVE-2013-2516

Affected software: Ruby Gem Fileutils (FileUtils) up to v0.7. The vulnerability is a Command Injection flaw where a user-supplied URL passed to the shell can be exploited. Root cause: insecure handling of the URL in file_utils.rb, leading to shell execution. Impact: potential remote code executio...

CVE-2013-2516

Vulnerability in FileUtils v0.7, Ruby Gem Fileutils = v0.7 Command Injection vulnerability in user supplied url variable that is passed to the shell...

DEBIAN-CVE-2018-16468

In the Loofah gem for Ruby, through v2.2.2, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished...

PT-2018-2643

Name of the Vulnerable Software and Affected Versions Loofah gem for Ruby versions through 2.2.2 Description The issue is related to insufficient sanitization of SVG elements in JavaScript, which can lead to the occurrence of unsanitized JavaScript in sanitized output when a crafted SVG element i...

GHSA-W655-W578-99PQ High severity vulnerability that affects espeak-ruby

Withdrawn, accidental duplicate publish. The espeak-ruby gem before 1.0.3 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a string to the speak, save, bytes or byteswav method in lib/espeak/speech.rb...

GHSA-9WV8-JGW4-4G28 High severity vulnerability that affects festivaltts4r

Withdrawn, accidental duplicate publish. The festivaltts4r gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a string to the 1 tospeech or 2 tomp3 method in lib/festivaltts4r/festival4r.rb...

GHSA-9WCM-RRVH-QJC8 High severity vulnerability that affects colorscore

Withdrawn, accidental duplicate publish. The initialize method in the Histogram class in lib/colorscore/histogram.rb in the colorscore gem before 0.0.5 for Ruby allows context-dependent attackers to execute arbitrary code via shell metacharacters in the 1 imagepath, 2 colors, or 3 depth variable...

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

active-support ruby gem could allow a remote attacker to execute arbitrary code on the system, caused by containing a malicious backdoor. An attacker could exploit this vulnerability to execute arbitrary code on the system...