Rails Security Vulnerabilities and Issues — Page 3 of Rails CVE List

Lucene search

RubyonrailsRails

111 matches found

CVE•added 2011/08/29 6:55 p.m.•68 views

CVE-2011-2929

The template selection functionality in actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.10 and 3.1.x before 3.1.0.rc6 does not properly handle glob characters, which allows remote attackers to render arbitrary views via a crafted URL, related to a "filter skipping ...

5CVSS6.4AI score0.00814EPSS

CVE•added 2021/10/19 2:15 p.m.•67 views

CVE-2011-1497

A cross-site scripting vulnerability flaw was found in the auto_link function in Rails before version 3.0.6.

6.1CVSS5.9AI score0.00328EPSS

CVE•added 2024/06/04 8:15 p.m.•67 views

CVE-2024-28103

Action Pack is a framework for handling and responding to web requests. Since 6.1.0, the application configurable Permissions-Policy is only served on responses with an HTML related Content-Type. This vulnerability is fixed in 6.1.7.8, 7.0.8.2, and 7.1.3.3.

9.8CVSS6.8AI score0.00666EPSS

CVE•added 2024/10/16 8:15 p.m.•62 views

CVE-2024-47887

Action Pack is a framework for handling and responding to web requests. Starting in version 4.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in Action Controller's HTTP Token authentication. For applications using HTTP Token authentication ...

8.7CVSS6.8AI score0.00405EPSS

CVE•added 2024/10/16 9:15 p.m.•61 views

CVE-2024-47889

Action Mailer is a framework for designing email service layers. Starting in version 3.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the block_format helper in Action Mailer. Carefully crafted text can cause the block_format helper to t...

8.7CVSS6.5AI score0.00097EPSS

CVE•added 2013/04/22 3:27 a.m.•58 views

CVE-2013-3221

The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, and 3.2.x does not ensure that the declared data type of a database column is used during comparisons of input values to stored values in that column, which makes it easier for remote attackers to conduct data-type injection attacks ...

6.4CVSS6.6AI score0.00483EPSS

CVE•added 2017/12/29 4:29 p.m.•51 views

CVE-2017-17916

SQL injection vulnerability in the 'find_by' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'name' parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted in...

8.1CVSS8.6AI score0.00582EPSS

CVE•added 2017/12/29 4:29 p.m.•51 views

CVE-2017-17917

SQL injection vulnerability in the 'where' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'id' parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input

8.1CVSS8.6AI score0.01779EPSS

CVE•added 2019/11/12 9:15 p.m.•46 views

CVE-2010-3299

The encrypt/decrypt functions in Ruby on Rails 2.3 are vulnerable to padding oracle attacks.

6.5CVSS6.4AI score0.00224EPSS

CVE•added 2024/06/04 8:15 p.m.•42 views

CVE-2024-32464

Action Text brings rich text content and editing to Rails. Instances of ActionText::Attachable::ContentAttachment included within a rich_text_area tag could potentially contain unsanitized HTML. This vulnerability is fixed in 7.1.3.4 and 7.2.0.beta2.

6.1CVSS5.9AI score0.00112EPSS

CVE•added 2014/11/16 5:59 p.m.•36 views

CVE-2014-3916

The str_buf_cat function in string.c in Ruby 1.9.3, 2.0.0, and 2.1 allows context-dependent attackers to cause a denial of service (segmentation fault and crash) via a long string.

5CVSS6.5AI score0.0049EPSS

Total number of security vulnerabilities111