Rails@3.0.1 Security Vulnerabilities and Issues — Rails@3.0.1 CVE List

Lucene search

RubyonrailsRails3.0.1

10 matches found

CVE•added 2011/02/14 9:0 p.m.•105 views

CVE-2011-0446

Multiple cross-site scripting (XSS) vulnerabilities in the mail_to helper in Ruby on Rails before 2.3.11, and 3.x before 3.0.4, when javascript encoding is used, allow remote attackers to inject arbitrary web script or HTML via a crafted (1) name or (2) email value.

4.3CVSS5.4AI score0.0067EPSS

CVE•added 2011/08/29 6:55 p.m.•97 views

CVE-2011-2930

Multiple SQL injection vulnerabilities in the quote_table_name method in the ActiveRecord adapters in activerecord/lib/active_record/connection_adapters/ in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow remote attackers to execute arbitrary SQL commands via a cr...

7.5CVSS8.2AI score0.00955EPSS

CVE•added 2011/06/30 3:55 p.m.•94 views

CVE-2011-2197

The cross-site scripting (XSS) prevention feature in Ruby on Rails 2.x before 2.3.12, 3.0.x before 3.0.8, and 3.1.x before 3.1.0.rc2 does not properly handle mutation of safe buffers, which makes it easier for remote attackers to conduct XSS attacks via crafted strings to an application that uses a...

4.3CVSS5AI score0.00442EPSS

CVE•added 2011/08/29 6:55 p.m.•94 views

CVE-2011-2931

Cross-site scripting (XSS) vulnerability in the strip_tags helper in actionpack/lib/action_controller/vendor/html-scanner/html/node.rb in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a tag with an inv...

4.3CVSS5.3AI score0.00813EPSS

CVE•added 2011/02/14 9:0 p.m.•89 views

CVE-2011-0447

Ruby on Rails 2.1.x, 2.2.x, and 2.3.x before 2.3.11, and 3.x before 3.0.4, does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged (1) AJAX or (2) API requests that l...

6.8CVSS6.6AI score0.0275EPSS

CVE•added 2011/02/21 6:0 p.m.•89 views

CVE-2011-0448

Ruby on Rails 3.0.x before 3.0.4 does not ensure that arguments to the limit function specify integer values, which makes it easier for remote attackers to conduct SQL injection attacks via a non-numeric argument.

7.5CVSS7.4AI score0.00689EPSS

CVE•added 2011/02/21 6:0 p.m.•89 views

CVE-2011-0449

actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.4, when a case-insensitive filesystem is used, does not properly implement filters associated with the list of available templates, which allows remote attackers to bypass intended access restrictions via an action na...

7.5CVSS6.4AI score0.00555EPSS

CVE•added 2011/08/29 6:55 p.m.•89 views

CVE-2011-2932

Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails 2.x before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a malformed Unicode string, related to...

4.3CVSS5.4AI score0.00813EPSS

CVE•added 2011/11/28 11:55 a.m.•77 views

CVE-2011-4319

Cross-site scripting (XSS) vulnerability in the i18n translations helper method in Ruby on Rails 3.0.x before 3.0.11 and 3.1.x before 3.1.2, and the rails_xss plugin in Ruby on Rails 2.3.x, allows remote attackers to inject arbitrary web script or HTML via vectors related to a translations string w...

4.3CVSS5.4AI score0.00607EPSS

CVE•added 2011/08/29 6:55 p.m.•68 views

CVE-2011-2929

The template selection functionality in actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.10 and 3.1.x before 3.1.0.rc6 does not properly handle glob characters, which allows remote attackers to render arbitrary views via a crafted URL, related to a "filter skipping ...

5CVSS6.4AI score0.00814EPSS