Search for packages
| purl | pkg:deb/debian/rails@2.3.14.1?distro=trixie |
| Vulnerability | Summary | Fixed by |
|---|---|---|
| This package is not known to be affected by vulnerabilities. | ||
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-3wtf-uu89-2qe5 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage, or (c) number_to_human helper. |
CVE-2014-0081
GHSA-m46p-ggm5-5j83 OSV-103439 |
| VCID-4epw-vk25-mfdw | XSS vulnerability in sanitize_css in Action Pack Carefully crafted text can bypass the sanitization provided in the `sanitize_css` method in Action Pack. |
CVE-2013-1855
GHSA-q759-hwvc-m3jg OSV-91452 |
| VCID-4he5-y1u4-gkd2 | XSS Vulnerability in the `sanitize` helper The `sanitize` helper in Ruby on Rails is designed to filter HTML and remove all tags and attributes which could be malicious. |
CVE-2013-1857
GHSA-j838-vfpq-fmf2 OSV-91454 |
| VCID-ca7u-t1y4-uuc7 | Vulnerability in JSON Parser in Ruby on Rails 3.0 and 2.3 There is a vulnerability in the JSON code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application. |
CVE-2013-0333
GHSA-xgr2-v94m-rc9g OSV-89594 |
| VCID-carc-ntrd-ebfe | Multiple vulnerabilities in parameter parsing in Action Pack There are multiple weaknesses in the parameter parsing code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application. |
CVE-2013-0156
GHSA-jmgw-6vjg-jjwg OSV-89026 |
| VCID-cwa7-9d2t-rfhb | actionpack Cross-site Scripting vulnerability Cross-site scripting (XSS) vulnerability in `actionpack/lib/action_view/helpers/sanitize_helper.rb` in the `strip_tags` helper in Ruby on Rails before 2.3.16, 3.0.x before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via malformed HTML markup. |
CVE-2012-3465
GHSA-7g65-ghrg-hpf5 OSV-84513 |
| VCID-eb5z-q7rj-j7hh | Active Record component in Ruby on Rails has a data-type injection vulnerability The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, and 3.2.x does not ensure that the declared data type of a database column is used during comparisons of input values to stored values in that column, which makes it easier for remote attackers to conduct data-type injection attacks against Ruby on Rails applications via a crafted value, as demonstrated by unintended interaction between the "typed XML" feature and a MySQL database. |
CVE-2013-3221
GHSA-f57c-hx33-hvh8 |
| VCID-hbtn-7423-m3gb | Circumvention of attr_protected The attr_protected method allows developers to specify a denylist of model attributes which users should not be allowed to assign to. By using a specially crafted request, attackers could circumvent this protection and alter values that were meant to be protected. |
CVE-2013-0276
GHSA-gr44-7grc-37vq OSV-90072 |
| VCID-hr2h-y693-sbgc | activesupport Cross-site Scripting vulnerability Cross-site scripting (XSS) vulnerability in `activesupport/lib/active_support/core_ext/string/output_safety.rb` in Ruby on Rails before 2.3.16, 3.0.x before , 3.1.x before 3.1.8, and 3.2.x before 3.2.8 might allow remote attackers to inject arbitrary web script or HTML via vectors involving a ' (quote) character. |
CVE-2012-3464
GHSA-h835-75hw-pj89 OSV-84516 |
| VCID-j7p8-hchp-xbe3 | Unsafe Query Generation Risk in Ruby on Rails Due to the way Active Record interprets parameters in combination with the way that JSON parameters are parsed, it is possible for an attacker to issue unexpected database queries with "IS NULL" or empty where clauses. This issue does *not* let an attacker insert arbitrary values into an SQL query, however they can cause the query to check for NULL or eliminate a WHERE clause when most users wouldn't expect it. |
CVE-2013-0155
GHSA-gppp-5xc5-wfpx OSV-89025 |
| VCID-kkbt-pr7u-f7gn | Active Record contains SQL Injection SQL injection vulnerability in the Active Record component in Ruby on Rails before 2.3.15, 3.0.x before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behavior of dynamic finders in applications that can use unexpected data types in certain find_by_ method calls. |
CVE-2012-6496
GHSA-gh2w-j7cx-2664 OSV-88661 |
| VCID-mep3-6sub-ykdk | Denial of Service Vulnerability when using render :text Strings sent in specially crafted headers will be converted to symbols. |
CVE-2014-0082
GHSA-7cgp-c3g7-qvrw OSV-103440 |
| VCID-nk6g-hhsk-8kaw | Serialized Attributes YAML Vulnerability with Rails 2.3 and 3.0 There is a vulnerability in the serialized attribute handling code in Ruby on Rails, applications which allow users to directly assign to the serialized fields in their models are at risk of Denial of Service or Remote Code Execution vulnerabilities. |
CVE-2013-0277
GHSA-fhj9-cjjh-27vm OSV-90073 |
| VCID-sz4r-kjse-cbdd | Remote attacker can conduct SQL injection attacks Ruby on Rails contains a flaw in the Authlogic gem. The issue is triggered when the program makes an unsafe method call for find_by_id. With a specially crafted parameter in an environment that knows the secret_token value in secret_token.rb, a remote attacker to more easily conduct SQL injection attacks. |
CVE-2012-6497
GHSA-rx7j-mw4c-76g9 OSV-89064 |
| VCID-xa94-z6yu-skf8 | Symbol DoS vulnerability in Active Record When a hash is provided as the find value for a query, the keys of the hash may be converted to symbols. Carefully crafted requests can coerce `params[:name]` to return a hash, and the keys to that hash may be converted to symbols. All users running an affected release should either upgrade or use one of the work arounds immediately. |
CVE-2013-1854
GHSA-3crr-9vmg-864v OSV-91453 |