VulnerableCode Package Details - pkg:deb/debian/rails@2.3.14?distro=trixie

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-1rgy-k7a9-m7au	XSS via posted select tag options Ruby on Rails is vulnerable to remote cross-site scripting because the application does not validate manually generated `select tag options` upon submission to `actionpack/lib/action_view/helpers/form_options_helper.rb`. This may allow a user to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.	CVE-2012-1099 GHSA-2xjj-5x6h-8vmf OSV-79727
VCID-43f3-rxwm-fkgv	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails 2.x before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a malformed Unicode string, related to a "UTF-8 escaping vulnerability."	CVE-2011-2932 GHSA-9fh3-vh3h-q4g3
VCID-4cky-r218-dkbb	activerecord vulnerable to SQL Injection Multiple SQL injection vulnerabilities in the `quote_table_name` method in the ActiveRecord adapters in `activerecord/lib/active_record/connection_adapters/` in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow remote attackers to execute arbitrary SQL commands via a crafted column name.	CVE-2011-2930 GHSA-h6w6-xmqv-7q78
VCID-knsd-pv15-tydx	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting (XSS) vulnerability in the strip_tags helper in actionpack/lib/action_controller/vendor/html-scanner/html/node.rb in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a tag with an invalid name.	CVE-2011-2931 GHSA-v5jg-558j-q67c
VCID-kr1b-uct1-7kf6	Response Splitting Vulnerability in Ruby on Rails A response splitting flaw can allow a remote attacker to inject arbitrary HTTP headers into a response due to insufficient sanitization of the values provided for response content types.	CVE-2011-3186 GHSA-fcqf-h4h4-695m OSV-74616
VCID-va9q-fjn6-yqee	Direct Manipulation XSS Ruby on Rails contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate direct manipulations of `SafeBuffer` objects via `'[]'` and other methods. This may allow a user to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.	CVE-2012-1098 GHSA-qv8p-v9qw-wc7g OSV-79726

Vulnerability

Summary

Aliases

VCID-1rgy-k7a9-m7au

XSS via posted select tag options Ruby on Rails is vulnerable to remote cross-site scripting because the application does not validate manually generated `select tag options` upon submission to `actionpack/lib/action_view/helpers/form_options_helper.rb`. This may allow a user to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

CVE-2012-1099
GHSA-2xjj-5x6h-8vmf
OSV-79727

VCID-43f3-rxwm-fkgv

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails 2.x before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a malformed Unicode string, related to a "UTF-8 escaping vulnerability."

CVE-2011-2932
GHSA-9fh3-vh3h-q4g3

VCID-4cky-r218-dkbb

activerecord vulnerable to SQL Injection Multiple SQL injection vulnerabilities in the `quote_table_name` method in the ActiveRecord adapters in `activerecord/lib/active_record/connection_adapters/` in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow remote attackers to execute arbitrary SQL commands via a crafted column name.

CVE-2011-2930
GHSA-h6w6-xmqv-7q78

VCID-knsd-pv15-tydx

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting (XSS) vulnerability in the strip_tags helper in actionpack/lib/action_controller/vendor/html-scanner/html/node.rb in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a tag with an invalid name.

CVE-2011-2931
GHSA-v5jg-558j-q67c

VCID-kr1b-uct1-7kf6

Response Splitting Vulnerability in Ruby on Rails A response splitting flaw can allow a remote attacker to inject arbitrary HTTP headers into a response due to insufficient sanitization of the values provided for response content types.

CVE-2011-3186
GHSA-fcqf-h4h4-695m
OSV-74616

VCID-va9q-fjn6-yqee

Direct Manipulation XSS Ruby on Rails contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate direct manipulations of `SafeBuffer` objects via `'[]'` and other methods. This may allow a user to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

CVE-2012-1098
GHSA-qv8p-v9qw-wc7g
OSV-79726

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T09:55:58.679126+00:00	Debian Importer	Fixing	VCID-4cky-r218-dkbb	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:46:39.160471+00:00	Debian Importer	Fixing	VCID-43f3-rxwm-fkgv	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:38:08.388063+00:00	Debian Importer	Fixing	VCID-va9q-fjn6-yqee	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:19:40.604967+00:00	Debian Importer	Fixing	VCID-knsd-pv15-tydx	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T08:47:27.971243+00:00	Debian Importer	Fixing	VCID-kr1b-uct1-7kf6	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T08:46:59.834438+00:00	Debian Importer	Fixing	VCID-1rgy-k7a9-m7au	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-13T08:40:41.327268+00:00	Debian Importer	Fixing	VCID-knsd-pv15-tydx	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T06:38:59.573965+00:00	Debian Importer	Fixing	VCID-4cky-r218-dkbb	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T06:31:46.579031+00:00	Debian Importer	Fixing	VCID-43f3-rxwm-fkgv	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T18:24:46.691128+00:00	Debian Importer	Fixing	VCID-va9q-fjn6-yqee	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T17:54:21.194002+00:00	Debian Importer	Fixing	VCID-kr1b-uct1-7kf6	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T17:53:58.559619+00:00	Debian Importer	Fixing	VCID-1rgy-k7a9-m7au	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-03T07:51:45.032720+00:00	Debian Importer	Fixing	VCID-1rgy-k7a9-m7au	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:51:44.983592+00:00	Debian Importer	Fixing	VCID-va9q-fjn6-yqee	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:51:44.877303+00:00	Debian Importer	Fixing	VCID-kr1b-uct1-7kf6	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:51:44.829707+00:00	Debian Importer	Fixing	VCID-43f3-rxwm-fkgv	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:51:44.780671+00:00	Debian Importer	Fixing	VCID-knsd-pv15-tydx	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:51:44.731824+00:00	Debian Importer	Fixing	VCID-4cky-r218-dkbb	https://security-tracker.debian.org/tracker/data/json	38.1.0