Loofah XSS Vulnerability

Loofah allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments...

rack-protection gem timing attack vulnerability when validating CSRF token

Sinatra rack-protection versions 1.5.4 and 2.0.0.rc3 and earlier contains a timing attack vulnerability in the CSRF token checking that can result in signatures can be exposed. This attack appear to be exploitable via network connectivity to the ruby application...

omniauth-saml authentication bypass via incorrect XML canonicalization and DOM traversal

OmniAuth OmnitAuth-SAML 1.9.0 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass...

Authentication bypass via incorrect XML canonicalization and DOM traversal

ruby-saml prior to version 1.7.0 is vulnerable to an authentication bypass via incorrect XML canonicalization and DOM traversal. Specifically, there are inconsistencies in handling of comments within XML nodes, resulting in incorrect parsing of the inner text of XML nodes such that any inner text...

Doorkeeper gem has stored XSS on authorization consent view

Stored XSS on the OAuth Client's name will cause users being prompted for consent via the "implicit" grant type to execute the XSS payload. The XSS attack could gain access to the user's active session, resulting in account compromise. Any user is susceptible if they click the authorization link...

Multiple persistent XSS vulnerabilities in Radiant CMS

There are multiple Persistent XSS vulnerabilities in Radiant CMS. They affect Personal Preferences Name and Username and Configuration Site Title, Dev Site Domain, Page Parts, and Page Fields...

Path traversal is possible via backslash characters on Windows.

An issue was discovered in rack-protection 2.x before 2.0.1 on Windows. Path traversal is possible via backslash characters...

Nokogiri gem, via libxml, is affected by DoS vulnerabilities

The version of libxml2 packaged with Nokogiri contains a vulnerability. Nokogiri has mitigated these issue by upgrading to libxml 2.9.5. Wei Lei discovered that libxml2 incorrecty handled certain parameter entities. An attacker could use this issue with specially constructed XML data to cause...

Nokogiri gem, via libxml, is affected by DoS vulnerabilities

The version of libxml2 packaged with Nokogiri contains a vulnerability. Nokogiri has mitigated these issue by upgrading to libxml 2.9.6. It was discovered that libxml2 incorrecty handled certain files. An attacker could use this issue with specially constructed XML data to cause libxml2 to consum...

Paperclip ruby gem suffers from a Server-Side Request Forgery (SSRF) vulnerability in the Paperclip::UriAdapter and Paperclip::HttpUrlProxyAdapter class.

Paperclip gem provides multiple ways a file can be uploaded to a web server. The vulnerability affects two of Paperclip’s IO adapters that accept URLs as attachment data UriAdapter and HttpUrlProxyAdapter. When these adapters are used, Paperclip acts as a proxy and downloads the file from the...

Cross-Site Scripting (XSS) in jquery

Affected versions of jquery interpret text/javascript responses from cross-origin ajax requests, and automatically execute the contents in jQuery.globalEval, even when the ajax request doesn't contain the dataType option...

Denial of Service in jquery

Affected versions of jquery use a lowercasing logic on attribute names. When given a boolean attribute with a name that contains uppercase characters, jquery enters into an infinite recursion loop, exceeding the call stack limit, and resulting in a denial of service condition. Recommendation Upda...

rails_admin ruby gem XSS vulnerability

An exploitable cross site scripting XSS vulnerability exists in the add filter functionality of the railsadmin rails gem version 1.2.0. A specially crafted URL can cause an XSS flaw resulting in an attacker being able to execute arbitrary javascript on the victim's browser. An attacker can phish ...

delayed_job_web ruby gem XSS vulnerability via `queues` parameter

An exploitable cross site scripting XSS vulnerability exists in the filter functionality of the delayedjobweb ruby gem. A specially crafted URL can cause an XSS flaw resulting in an attacker being able to execute arbitrary javascript on the victim's browser. An attacker can phish an authenticated...

sinatra ruby gem path traversal via backslash characters on Windows

An issue was discovered in rack-protection/lib/rack/protection/pathtraversal.rb in Sinatra 2.x before 2.0.1 on Windows. Path traversal is possible via backslash characters...

Radiant CMS 1.1.4 Markdown admin/pages/*/edit part_body_content cross site scripting

Radiant CMS 1.1.4 has XSS via crafted Markdown input in the partbodycontent parameter to an admin/pages//edit resource...

The lazy_initialize function in lib/resolv.rb in Ruby

The lazyinitialize function in lib/resolv.rb in Ruby through 2.4.3 uses Kernelopen, which might allow Command Injection attacks, as demonstrated by a Resolv::Hosts::new argument beginning with a '|' character, a different vulnerability than CVE-2017-17405. NOTE: situations with untrusted input ma...

No validation of hostname certificate in net-ldap

The Net::LDAP aka net-ldap gem before 0.16.0 for Ruby has Missing SSL Certificate Validation. The LDAP server's certificate was not verified to match the host it was supposed to be connecting to...

Command injection vulnerability in Net::FTP

There is a command injection vulnerability in Net::FTP bundled with Ruby. Net::FTPget, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernelopen to open a local file. If the localfile argument starts with the pipe character "|", the command following the pipe character is...

Potential arbitrary file read vulnerability in yard server

lib/yard/coreext/file.rb in the server in YARD before 0.9.11 does not block relative paths with an initial ../ sequence, which allows attackers to conduct directory traversal attacks and read arbitrary files...

Unsafe objects can be loaded from Redis

Redis-store =v1.3.0 allows unsafe objects to be loaded from Redis via the use of the Marshal serializer...

gollum and gollum-lib allow remote authenticated users to execute arbitrary code

The gollum-gritadapter Ruby gem dependency in gollum before 3.1.1 and the gollum-lib gem dependency in gollum-lib before 4.0.1 when the string master is in any of the wiki documents, allows remote authenticated users to execute arbitrary code via the -O or --open-files-in-pager flags...

gollum and gollum-lib allow remote authenticated users to execute arbitrary code

The gollum-gritadapter Ruby gem dependency in gollum before 3.1.1 and the gollum-lib gem dependency in gollum-lib before 4.0.1 when the string master is in any of the wiki documents, allows remote authenticated users to execute arbitrary code via the -O or --open-files-in-pager flags...

cairo NULL pointer dereference

Cairo version 1.15.4 is vulnerable to a NULL pointer dereference related to the FTLoadGlyph and FTRenderGlyph resulting in an application crash...

Stored XSS in "geminabox" via injection in Gemspec "homepage" value

Stored cross-site scripting XSS vulnerability in "geminabox" Gem in a Box allows attackers to inject arbitrary web script via a crafted JavaScript URL in the "homepage" value of a ".gemspec" file. A ".gemspec" file must be created with a JavaScript URL in the homepage value. This can be used to...

private_address_check Ruby Gem Blacklist Bypass privilege escalation

The privateaddresscheck ruby gem before 0.4.1 is vulnerable to a bypass due to an incomplete blacklist of common private/local network addresses used to prevent server-side request forgery...

SSRF vulnerability in Recurly gem's Resource#find.

If you are using the find method on any of the classes that are derived from the Resource class and you are passing user input into that method, a malicious user can force the http client to reach out to a server under their control. This can lead to leakage of your private API key. Because of th...

private_address_check Ruby Gem Resolv.getaddresses Server-Side Request Forgery

The privateaddresscheck ruby gem before 0.4.0 is vulnerable to a bypass due to use of Ruby's Resolv.getaddresses method, which is OS-dependent and should not be relied upon for security measures, such as when used to blacklist private network addresses to prevent server-side request forgery...

Flaw in yajl-ruby gem may cause a DoS

In the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file is supplied to Yajl::Parser.new.parse, the whole ruby process crashes with a SIGABRT in the yajlstringdecode function in yajlencode.c. This results in the whole ruby process terminating and potentially a denial of service...

ox ruby gem stack overflow in sax_parse

In the Ox gem 2.8.1 for Ruby, the process crashes with a stack-based buffer over-read in the readfromstr function in saxbuf.c when a crafted input is supplied to saxparse...

ox ruby gem segmentation fault via parse_obj

In the Ox gem 2.8.0 for Ruby, the process crashes with a segmentation fault when a crafted input is supplied to parseobj. NOTE: the vendor has stated "Ox should handle the error more gracefully" but has not confirmed a security implication...

RedCloth Cross-site Scripting vulnerability

Cross-site scripting XSS vulnerability in the RedCloth library 4.2.9 for Ruby and earlier allows remote attackers to inject arbitrary web script or HTML via a "javascript:" URI...

XSS vulnerabilities in the mail_to helper in rails/actionview

Multiple cross-site scripting XSS vulnerabilities in the mailto helper in Ruby on Rails before 2.3.11, and 3.x before 3.0.4, when javascript encoding is used, allow remote attackers to inject arbitrary web script or HTML via a crafted 1 name or 2 email value...

Moderate severity vulnerability that affects rails

Session fixation vulnerability in Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers to hijack web sessions via unspecified vectors related to "URL-based sessions."...

Filter Problems on Case-Insensitive Filesystems in rails/actionpack

actionpack/lib/actionview/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.4, when a case-insensitive filesystem is used, does not properly implement filters associated with the list of available templates, which allows remote attackers to bypass intended access restrictions via an action...

High severity vulnerability that affects rails.

Unspecified vulnerability in the "dependency resolution mechanism" in Ruby on Rails 1.1.0 through 1.1.5 allows remote attackers to execute arbitrary Ruby code via a URL that is not properly handled in the routing code, which leads to a denial of service application hang or "data loss," a differen...

Moderate severity vulnerability that affects rails

CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL to the redirectto function...

Moderate severity vulnerability that affects rails

The session fixation protection mechanism in cgiprocess.rb in Rails 1.2.4, as used in Ruby on Rails, removes the :cookieonly attribute from the DEFAULTSESSIONOPTIONS constant, which effectively causes cookieonly to be applied only to the first instantiation of CgiRequest, which allows remote...

High severity vulnerability that affects rails

Ruby on Rails before 1.1.5 allows remote attackers to execute Ruby code with "severe" or "serious" impact via a File Upload request with an HTTP header that modifies the LOADPATH variable, a different vulnerability than CVE-2006-4112...

Moderate severity vulnerability that affects rails

Cross-site scripting XSS vulnerability in the tojson ActiveRecord::Basetojson function in Ruby on Rails before edge 9606 allows remote attackers to inject arbitrary web script via the input values...

Moderate severity vulnerability that affects rails

Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers and ActiveResource servers to determine the existence of arbitrary files and read arbitrary XML files via the Hash.fromxml Hashfromxml method, which uses XmlSimple XML::Simple unsafely, as demonstrated by reading passwords fro...

Rails vulnerable to Cross-site Scripting

Multiple cross-site scripting XSS vulnerabilities in "actionview/lib/actionview/helpers/numberhelper.rb" in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 allow remote attackers to inject arbitrary web script or HTML via the 1 format, 2 negativeformat, or 3 units...

Moderate severity XSS vulnerability that affects rails

Cross-site scripting XSS vulnerability in the striptags function in Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote attackers to inject arbitrary web script or HTML via vectors involving non-printing ASCII characters,related to HTML::Tokenizer and...

UTF-8 escaping vulnerability in rails/activesupport

Cross-site scripting XSS vulnerability in activesupport/lib/activesupport/coreext/string/outputsafety.rb in Ruby on Rails 2.x before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a malformed Unicode string, related to a...

Moderate severity vulnerability that affects facter, hiera, mcollective-client, and puppet

Untrusted search path vulnerability in Puppet Enterprise 2.8 before 2.8.7, Puppet before 2.7.26 and 3.x before 3.6.2, Facter 1.6.x and 2.x before 2.0.2, Hiera before 1.3.4, and Mcollective before 2.5.2, when running with Ruby 1.9.1 or earlier, allows local users to gain privileges via a Trojan...

Moderate severity XSS vulnerability that affects rails

Cross-site scripting XSS vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings into a form helper. 9/4/2009 url mentions patches for 2.0, 2.1, 2.2, and 2.3 series...

actionpack and activesupport vulnerable to information leaks

A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x before 2.3.4, leaks information about the complexity of message-digest signature verification in the cookie store, which might allow remote attackers to forge a digest via multiple attempts...

SQL Injection Vulnerability in quote_table_name in rails/activerecord

Multiple SQL injection vulnerabilities in the quotetablename method in the ActiveRecord adapters in activerecord/lib/activerecord/connectionadapters in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow remote attackers to execute arbitrary SQL commands via a craft...

Potential SQL Injection with limit in rails/activerecord

Ruby on Rails 3.0.x before 3.0.4 does not ensure that arguments to the limit function specify integer values, which makes it easier for remote attackers to conduct SQL injection attacks via a non-numeric argument...

Security Vulnerability in Nested Attributes code in Ruby On Rails 2.3.9 and 3.0.0

Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs. Patches are available for 2.3 and 3.0 series...