Lucene search

K
RubyonrailsRails3.0.17

15 matches found

CVE
CVE
added 2013/01/30 12:0 p.m.129 views

CVE-2013-0333

lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication vi...

7.5CVSS10AI score0.91935EPSS
CVE
CVE
added 2014/02/20 3:27 p.m.114 views

CVE-2014-0081

Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negative_format, or (3) u...

4.3CVSS5.9AI score0.00885EPSS
CVE
CVE
added 2013/02/13 1:55 a.m.113 views

CVE-2013-0277

ActiveRecord in Ruby on Rails before 2.3.17 and 3.x before 3.1.0 allows remote attackers to cause a denial of service or execute arbitrary code via crafted serialized attributes that cause the +serialize+ helper to deserialize arbitrary YAML.

10CVSS7.5AI score0.07162EPSS
CVE
CVE
added 2013/03/19 10:55 p.m.111 views

CVE-2013-1855

The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle \n (newline) characters, which makes it easier for remote attackers to ...

4.3CVSS5.5AI score0.00536EPSS
CVE
CVE
added 2013/12/07 12:55 a.m.101 views

CVE-2013-6415

Cross-site scripting (XSS) vulnerability in the number_to_currency helper in actionpack/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the unit parameter.

4.3CVSS5.4AI score0.01506EPSS
CVE
CVE
added 2013/03/19 10:55 p.m.100 views

CVE-2013-1857

The sanitize helper in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle encoded : (colon) characters in URLs, which makes it easier for remote atta...

4.3CVSS5.4AI score0.00625EPSS
CVE
CVE
added 2013/12/07 12:55 a.m.95 views

CVE-2013-6414

actionpack/lib/action_view/lookup_context.rb in Action View in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to cause a denial of service (memory consumption) via a header containing an invalid MIME type that leads to excessive caching.

5CVSS6.2AI score0.70843EPSS
CVE
CVE
added 2014/02/20 3:27 p.m.89 views

CVE-2014-0082

actionpack/lib/action_view/template/text.rb in Action View in Ruby on Rails 3.x before 3.2.17 converts MIME type strings to symbols during use of the :text option to the render method, which allows remote attackers to cause a denial of service (memory consumption) by including these strings in head...

5CVSS6AI score0.06456EPSS
CVE
CVE
added 2013/12/07 12:55 a.m.87 views

CVE-2013-6417

actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictio...

6.4CVSS7.5AI score0.11368EPSS
CVE
CVE
added 2016/09/07 7:28 p.m.85 views

CVE-2016-6316

Cross-site scripting (XSS) vulnerability in Action View in Ruby on Rails 3.x before 3.2.22.3, 4.x before 4.2.7.1, and 5.x before 5.0.0.1 might allow remote attackers to inject arbitrary web script or HTML via text declared as "HTML safe" and used as attribute values in tag handlers.

6.1CVSS6.1AI score0.02193EPSS
CVE
CVE
added 2013/12/07 12:55 a.m.84 views

CVE-2013-4491

Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/translation_helper.rb in the internationalization component in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted string that triggers genera...

4.3CVSS5.3AI score0.00713EPSS
CVE
CVE
added 2014/11/08 11:55 a.m.77 views

CVE-2014-7818

Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and 4.2.x before 4.2.0.beta3, when serve_static_assets is enabled, allows remote attackers to determine the existence ...

4.3CVSS6.4AI score0.00409EPSS
CVE
CVE
added 2014/11/18 11:59 p.m.75 views

CVE-2014-7829

Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.21, 4.0.x before 4.0.12, 4.1.x before 4.1.8, and 4.2.x before 4.2.0.beta4, when serve_static_assets is enabled, allows remote attackers to determine the existence ...

5CVSS6.5AI score0.00409EPSS
CVE
CVE
added 2014/07/07 11:1 a.m.72 views

CVE-2014-3482

SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 2.x and 3.x before 3.2.19 allows remote attackers to execute arbitrary SQL commands by leveraging improper bitstring quoting.

7.5CVSS8.3AI score0.01435EPSS
CVE
CVE
added 2013/04/22 3:27 a.m.58 views

CVE-2013-3221

The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, and 3.2.x does not ensure that the declared data type of a database column is used during comparisons of input values to stored values in that column, which makes it easier for remote attackers to conduct data-type injection attacks ...

6.4CVSS6.6AI score0.00483EPSS