GHSA-6WPV-CJ6X-V3JW http vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

The Ruby http gem before 0.6.4 and 0.7.3 does not verify hostnames in SSL connections, which might allow remote attackers to obtain sensitive information via a man-in-the-middle-attack...

rails_admin ruby gem XSS

An exploitable cross site scripting XSS vulnerability exists in the add filter functionality of the railsadmin rails gem version 1.2.0. A specially crafted URL can cause an XSS flaw resulting in an attacker being able to execute arbitrary javascript on the victim's browser. An attacker can phish ...

rubygem-i18n: cross-site scripting flaw in exception handling

Cross-site scripting XSS vulnerability in exceptions.rb in the i18n gem before 0.6.6 for Ruby allows remote attackers to inject arbitrary web script or HTML via a crafted I18n::MissingTranslationData.new call...

rubygem-will_paginate: XSS vulnerabilities

It was found that ruby willpaginate is vulnerable to a XSS via malformed input that cause pagination to occur on an improper boundary. This could allow an attacker with the ability to pass data to the willpaginate gem to display arbitrary HTML including scripting code within the web interface...

Denial of service

The performrequest function in /lib/echor/backplane.rb in echor 0.1.6 Ruby Gem allows local users to steal the login credentials by watching the process table...

Default credentials

The performrequest function in /lib/echor/backplane.rb in echor 0.1.6 Ruby Gem allows local users to inject arbitrary code by adding a semi-colon in their username or password...

CVE-2014-1834

The CVE-2014-1834 entry concerns the echor 0.1.6 Ruby Gem (backplane.rb) where the perform_request function allows local users to inject arbitrary commands by inserting a semicolon into their username or password. The root cause is insufficient input handling for user-supplied credentials, enabli...

CVE-2014-1835

CVE-2014-1835 affects the echor Ruby Gem (version 0.1.6) with a vulnerable perform_request implementation in /lib/echor/backplane.rb. This local-information-disclosure flaw allows an unprivileged local user to monitor the process table and obtain plaintext login credentials. The CVSS data in the ...

CVE-2014-1835

The performrequest function in /lib/echor/backplane.rb in echor 0.1.6 Ruby Gem allows local users to steal the login credentials by watching the process table...

Gyazo allows local users to write arbitrary files

lib/gyazo/client.rb in the gyazo gem 1.0.0 for Ruby allows local users to write to arbitrary files via a symlink attack on a temporary file, related to time-based filenames...

GHSA-5JCF-C5RG-RMM8 paperclip Server-Side Request Forgery vulnerability

Paperclip ruby gem version 3.1.4 and later suffers from a Server-SIde Request Forgery SSRF vulnerability in the Paperclip::UriAdapter class. Attackers may be able to access information about internal network resources...

delayed_job_web rails gem XSS vulnerability

Summary An exploitable XSS vulnerability exists in the filter functionality of the delayedjobweb rails gem version 1.4. A specially crafted URL can cause an XSS flaw resulting in an attacker being able to execute arbitrary javascript on the victim’s browser. An attacker can phish an authenticated...

GHSA-3V3C-R5V2-68PH private_address_check contains Incomplete List of Disallowed Inputs

The privateaddresscheck ruby gem before 0.4.1 is vulnerable to a bypass due to an incomplete blacklist of common private/local network addresses used to prevent server-side request forgery...

private_address_check vulnerable to bypass of Resolv.getaddresses method

The privateaddresscheck ruby gem before 0.4.0 is vulnerable to a bypass due to use of Ruby's Resolv.getaddresses method, which is OS-dependent and should not be relied upon for security measures, such as when used to blacklist private network addresses to prevent server-side request forgery...

GHSA-HXHJ-HP9M-QWC4 private_address_check vulnerable to bypass of Resolv.getaddresses method

The privateaddresscheck ruby gem before 0.4.0 is vulnerable to a bypass due to use of Ruby's Resolv.getaddresses method, which is OS-dependent and should not be relied upon for security measures, such as when used to blacklist private network addresses to prevent server-side request forgery...

GHSA-WWH7-4JW9-33X6 yajl-ruby gem Denial of Service vulnerability

In the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file is supplied to Yajl::Parser.new.parse, the whole ruby process crashes with a SIGABRT in the yajlstringdecode function in yajlencode.c. This results in the whole ruby process terminating and potentially a denial of service...

yajl-ruby gem Denial of Service vulnerability

In the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file is supplied to Yajl::Parser.new.parse, the whole ruby process crashes with a SIGABRT in the yajlstringdecode function in yajlencode.c. This results in the whole ruby process terminating and potentially a denial of service...

private_address_check ruby gem server-side request forgery vulnerability

privateaddresscheck ruby gem is a Ruby-based checking tool for server-side request forgery attacks. A server-side request forgery vulnerability exists in versions of the privateaddresscheck ruby gem prior to 0.4.1. An attacker can exploit this vulnerability to bypass blacklists and perform...

private_address_check ruby gem security restriction bypass vulnerability

privateaddresscheck ruby gem is a Ruby-based checking tool for server-side request forgery attacks. A security restriction bypass vulnerability exists in the privateaddresscheck ruby gem prior to version 0.4.0, which stems from the program's use of Ruby's Resolv.getaddresses method. An attacker...

CVE-2017-0909

The privateaddresscheck ruby gem before 0.4.1 is vulnerable to a bypass due to an incomplete blacklist of common private/local network addresses used to prevent server-side request forgery...