CVE-2021-32096

The ConsoleAction component of U.S. National Security Agency NSA Emissary 5.9.0 allows a CSRF attack that results in injecting arbitrary Ruby code for an eval call via the CONSOLECOMMANDSTRING parameter...

CVE-2021-35514

Narou aka Narou.rb before 3.8.0 allows Ruby Code Injection via the title name or author name of a novel...

CVE-2021-28966

In Ruby through 3.0 on Windows, a remote attacker can submit a crafted path when a Web application handles a parameter with TmpDir...

CVE-2021-39880

A Denial Of Service vulnerability in the apollouploadserver Ruby gem in GitLab CE/EE all versions starting from 11.9 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 allows an attacker to deny access to all users via specially crafted...

CVE-2020-16254

The Chartkick gem through 3.3.2 for Ruby allows Cascading Style Sheets CSS Injection without attribute...

CVE-2020-16253

The PgHero gem through 2.6.0 for Ruby allows CSRF...

CVE-2020-16252

The Field Test gem 0.2.0 through 0.3.2 for Ruby allows CSRF...

CVE-2010-3299

The encrypt/decrypt functions in Ruby on Rails 2.3 are vulnerable to padding oracle attacks...

CVE-2012-5380

Untrusted search path vulnerability in the installation functionality in Ruby 1.9.3-p194, when installed in the top-level C:\ directory, might allow local users to gain privileges via a Trojan horse DLL in the C:\Ruby193\bin directory, which may be added to the PATH system environment variable by...

CVE-2013-1898

lib/thumbshooter.rb in the Thumbshooter 0.1.5 gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL...

CVE-2013-2513

The flashtool gem through 0.6.0 for Ruby allows command execution via shell metacharacters in the name of a downloaded file...

CVE-2013-2615

lib/entrycontroller.rb in the fastreader Gem 1.0.8 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL...

CVE-2013-4203

The self.rungpg function in lib/rgpg/gpghelper.rb in the rgpg gem before 0.2.3 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in unspecified vectors...

CVE-2019-10780

BibTeX-ruby before 5.1.0 allows shell command injection due to unsanitized user input being passed directly to the built-in Ruby Kernel.open method through BibTeX.open...

CVE-2011-5330

Distributed Ruby aka DRuby 1.8 mishandles the sending of syscalls...

CVE-2019-7615

A TLS certificate validation flaw was found in Elastic APM agent for Ruby versions before 2.9.0. When specifying a trusted server CA certificate via the 'servercacert' setting, the Ruby agent would not properly verify the certificate returned by the APM server. This could result in a man in the...

CVE-2019-25061

The randompasswordgenerator aka RandomPasswordGenerator gem through 1.0.0 for Ruby uses Kernelrand to generate passwords, which, due to its cyclic nature, can facilitate password prediction...

CVE-2019-13146

The fieldtest gem 0.3.0 for Ruby has unvalidated input. A method call that is expected to return a value from a certain set of inputs can be made to return any input, which can be dangerous depending on how applications use it. If an application treats arbitrary variants as trusted, this can lead...

CVE-2018-10199

In versions of mruby up to and including 1.4.0, a use-after-free vulnerability exists in src/io.c::Fileinitilializecopy. An attacker that can cause Ruby code to be run can possibly use this to execute arbitrary code...

CVE-2016-11086

lib/oauth/consumer.rb in the oauth-ruby gem through 0.5.4 for Ruby does not verify server X.509 certificates if a certificate bundle cannot be found, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information...