Lucene search

K
RubyonrailsRails4.0.1

18 matches found

CVE
CVE
added 2016/04/07 11:59 p.m.199 views

CVE-2016-2097

Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.2 and 4.x before 4.1.14.2 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname. NOTE: this vulnerability exists ...

5.3CVSS6.3AI score0.91051EPSS
CVE
CVE
added 2014/02/20 3:27 p.m.114 views

CVE-2014-0081

Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negative_format, or (3) u...

4.3CVSS5.9AI score0.00885EPSS
CVE
CVE
added 2016/02/16 2:59 a.m.106 views

CVE-2016-0751

actionpack/lib/action_dispatch/http/mime_type.rb in Action Pack in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly restrict use of the MIME type cache, which allows remote attackers to cause a denial of service (me...

7.5CVSS5.8AI score0.06145EPSS
CVE
CVE
added 2013/12/07 12:55 a.m.101 views

CVE-2013-6415

Cross-site scripting (XSS) vulnerability in the number_to_currency helper in actionpack/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the unit parameter.

4.3CVSS5.4AI score0.01506EPSS
CVE
CVE
added 2013/12/07 12:55 a.m.95 views

CVE-2013-6414

actionpack/lib/action_view/lookup_context.rb in Action View in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to cause a denial of service (memory consumption) via a header containing an invalid MIME type that leads to excessive caching.

5CVSS6.2AI score0.70843EPSS
CVE
CVE
added 2016/04/07 11:59 p.m.92 views

CVE-2016-2098

Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method.

7.5CVSS6.5AI score0.84091EPSS
CVE
CVE
added 2014/07/07 11:1 a.m.88 views

CVE-2014-3483

SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 4.x before 4.0.7 and 4.1.x before 4.1.3 allows remote attackers to execute arbitrary SQL commands by leveraging improper range quoting...

7.5CVSS8.2AI score0.0125EPSS
CVE
CVE
added 2013/12/07 12:55 a.m.87 views

CVE-2013-6417

actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictio...

6.4CVSS7.5AI score0.11368EPSS
CVE
CVE
added 2016/09/07 7:28 p.m.85 views

CVE-2016-6316

Cross-site scripting (XSS) vulnerability in Action View in Ruby on Rails 3.x before 3.2.22.3, 4.x before 4.2.7.1, and 5.x before 5.0.0.1 might allow remote attackers to inject arbitrary web script or HTML via text declared as "HTML safe" and used as attribute values in tag handlers.

6.1CVSS6.1AI score0.02193EPSS
CVE
CVE
added 2013/12/07 12:55 a.m.84 views

CVE-2013-4491

Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/translation_helper.rb in the internationalization component in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted string that triggers genera...

4.3CVSS5.3AI score0.00713EPSS
CVE
CVE
added 2014/08/20 11:17 a.m.83 views

CVE-2014-3514

activerecord/lib/active_record/relation/query_methods.rb in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection mechanism via crafted input to an application that makes create_with calls.

7.5CVSS6.5AI score0.00331EPSS
CVE
CVE
added 2013/12/07 12:55 a.m.82 views

CVE-2013-6416

Cross-site scripting (XSS) vulnerability in the simple_format helper in actionpack/lib/action_view/helpers/text_helper.rb in Ruby on Rails 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted HTML attribute.

4.3CVSS5.4AI score0.00236EPSS
CVE
CVE
added 2016/02/16 2:59 a.m.81 views

CVE-2015-7581

actionpack/lib/action_dispatch/routing/route_set.rb in Action Pack in Ruby on Rails 4.x before 4.2.5.1 and 5.x before 5.0.0.beta1.1 allows remote attackers to cause a denial of service (superfluous caching and memory consumption) by leveraging an application's use of a wildcard controller route.

7.5CVSS5.9AI score0.09055EPSS
CVE
CVE
added 2016/02/16 2:59 a.m.80 views

CVE-2015-7576

The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use...

4.3CVSS5AI score0.01574EPSS
CVE
CVE
added 2016/02/16 2:59 a.m.80 views

CVE-2015-7577

activerecord/lib/active_record/nested_attributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote attackers to bypass in...

5.3CVSS5.4AI score0.01209EPSS
CVE
CVE
added 2014/02/20 3:27 p.m.79 views

CVE-2014-0080

SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/cast.rb in Active Record in Ruby on Rails 4.0.x before 4.0.3, and 4.1.0.beta1, when PostgreSQL is used, allows remote attackers to execute "add data" SQL commands via vectors involving \ (backslash) charact...

6.8CVSS7.8AI score0.00248EPSS
CVE
CVE
added 2014/11/08 11:55 a.m.77 views

CVE-2014-7818

Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and 4.2.x before 4.2.0.beta3, when serve_static_assets is enabled, allows remote attackers to determine the existence ...

4.3CVSS6.4AI score0.00409EPSS
CVE
CVE
added 2014/11/18 11:59 p.m.75 views

CVE-2014-7829

Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.21, 4.0.x before 4.0.12, 4.1.x before 4.1.8, and 4.2.x before 4.2.0.beta4, when serve_static_assets is enabled, allows remote attackers to determine the existence ...

5CVSS6.5AI score0.00409EPSS