Azure Linux 3.0 Security Update: ruby / rubygem-rexml (CVE-2024-35176)

The version of ruby / rubygem-rexml installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-35176 advisory. - REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a denial of service...

Photon OS 5.0: Ruby PHSA-2025-5.0-0468

An update of the ruby package has been released. %NASLMINLEVEL 80900 C Tenable, Inc. The descriptive text and package checks in this plugin were extracted from VMware Security Advisory PHSA-2025-5.0-0468. The text itself is copyright C VMware, Inc. include'compat.inc'; if description...

USN-7256-1: Ruby vulnerabilities

It was discovered that Ruby incorrectly handled parsing of an XML document that has specific XML characters in an attribute value using REXML gem. An attacker could use this issue to cause Ruby to crash, resulting in a denial of service...

USN-7256-1 ruby2.7 vulnerabilities

It was discovered that Ruby incorrectly handled parsing of an XML document that has specific XML characters in an attribute value using REXML gem. An attacker could use this issue to cause Ruby to crash, resulting in a denial of service...

Ubuntu 20.04 LTS : Ruby vulnerabilities (USN-7256-1)

The remote Ubuntu 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-7256-1 advisory. It was discovered that Ruby incorrectly handled parsing of an XML document that has specific XML characters in an attribute value using REXML gem. An...

OPENSUSE-SU-2025:14741-1 ruby3.4-rubygem-http-cookie-1.0.8-1.1 on GA media

These are all security issues fixed in the ruby3.4-rubygem-http-cookie-1.0.8-1.1 package on the GA media of openSUSE Tumbleweed...

CVE-2022-36006

Arvados is an open source platform for managing, processing, and sharing genomic and other large scientific and biomedical data. A remote code execution RCE vulnerability in the Arvados Workbench allows authenticated attackers to execute arbitrary code via specially crafted JSON payloads. This...

CVE-2022-24722

VIewComponent is a framework for building view components in Ruby on Rails. Versions prior to 2.31.2 and 2.49.1 contain a cross-site scripting vulnerability that has the potential to impact anyone using translations with the viewcomponent gem. Data received via user input and passed as an...

CVE-2017-11428

OneLogin Ruby-SAML 1.6.0 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication...

CVE-2020-26223

Spree is a complete open source e-commerce solution built with Ruby on Rails. In Spree from version 3.7 and before versions 3.7.13, 4.0.5, and 4.1.12, there is an authorization bypass vulnerability. The perpetrator could query the API v2 Order Status endpoint with an empty string passed as an Ord...

CVE-2024-32463

phlex is an open source framework for building object-oriented views in Ruby. There is a potential cross-site scripting XSS vulnerability that can be exploited via maliciously crafted user data. The filter to detect and prevent the use of the javascript: URL scheme in the href attribute of an tag...

Medium: ruby3.2

Issue Overview: A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with rfc2396parser.rb and rfc3986parser.rb. NOTE: this issue...

Medium: ruby3.2

Issue Overview: A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with rfc2396parser.rb and rfc3986parser.rb. NOTE: this issue...

Amazon Linux 2023 : ruby3.2, ruby3.2-bundled-gems, ruby3.2-default-gems (ALAS2023-2025-839)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2025-839 advisory. A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings...

Important Photon OS Security Update - PHSA-2025-5.0-0468

Updates of 'ruby', 'openjdk17' packages of Photon OS have been released...

ROS-20250203-15

Vulnerability in Active Support PostgreSQL component of Ruby interpreter is related to insufficient validation of user input in Active Support in Inflector.underscore. user input data in Active Support in Inflector.underscore. Exploitation of the vulnerability could allow an attacker acting...

ROS-20250203-14

A vulnerability in the Action Dispatch component of the Ruby on Rails software platform is related to insufficient validation of user input in Action Dispatch. insufficient validation of user input data in Action Dispatch. Exploitation of the vulnerability could allow an attacker acting remotely ...

ROS-20250203-13

A vulnerability in the Active Record component of the Ruby on Rails software platform is related to the possibility of injecting SQL code through comments. SQL code through comments. Exploitation of the vulnerability could allow an attacker acting remotely, execute arbitrary code Vulnerability of...

The vulnerability of the content_security_policy function in the Action Pack interpreter for Ruby allows attackers to perform cross-site scripting (XSS) attacks.

The vulnerability of the contentsecuritypolicy function in the Action Pack interpreter for Ruby is related to the lack of measures taken to protect the structure of web pages. Exploiting this vulnerability could allow a malicious actor, operating remotely, to perform cross-site scripting attacks...

Malicious code in ruby-typeprof (npm)

The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=-...