Search for packages
| purl | pkg:deb/debian/rails@2:2.3.14.2 |
| Next non-vulnerable version | 2:7.2.3.1+dfsg-1 |
| Latest non-vulnerable version | 2:7.2.3.1+dfsg-1 |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-12x8-jxdf-jqdz
Aliases: CVE-2021-22881 GHSA-8877-prq4-9xfw |
Actionpack Open Redirect Vulnerability The Host Authorization middleware in Action Pack before 6.1.2.1, 6.0.3.5 suffers from an open redirect vulnerability. Specially crafted `Host` headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. |
Affected by 19 other vulnerabilities. |
|
VCID-19fr-55kr-hyax
Aliases: CVE-2023-23913 GHSA-xp5h-f8jf-rc8q |
rails-ujs vulnerable to DOM Based Cross-site Scripting contenteditable HTML Elements NOTE: rails-ujs is part of Rails/actionview since 5.1.0. There is a potential DOM based cross-site scripting issue in rails-ujs which leverages the Clipboard API to target HTML elements that are assigned the contenteditable attribute. This has the potential to occur when pasting malicious HTML content from the clipboard that includes a data-method, data-remote or data-disable-with attribute. This vulnerability has been assigned the CVE identifier CVE-2023-23913. Not affected: < 5.1.0 Versions Affected: >= 5.1.0 Fixed Versions: 6.1.7.3, 7.0.4.3 Impact If the specified malicious HTML clipboard content is provided to a contenteditable element, this could result in the arbitrary execution of javascript on the origin in question. Releases The FIXED releases are available at the normal locations. Workarounds We recommend that all users upgrade to one of the FIXED versions. In the meantime, users can attempt to mitigate this vulnerability by removing the contenteditable attribute from elements in pages that rails-ujs will interact with. Patches To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * rails-ujs-data-method-contenteditable-6-1.patch - Patch for 6.1 series * rails-ujs-data-method-contenteditable-7-0.patch - Patch for 7.0 series Please note that only the 7.0.Z and 6.1.Z series are supported at present, and 6.0.Z for severe vulnerabilities. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. Credits We would like to thank ryotak 15 for reporting this! * rails-ujs-data-method-contenteditable-6-1.patch (8.5 KB) * rails-ujs-data-method-contenteditable-7-0.patch (8.5 KB) * rails-ujs-data-method-contenteditable-main.patch (8.9 KB) |
Affected by 19 other vulnerabilities. |
|
VCID-1bxs-yghe-cyck
Aliases: CVE-2021-22942 GHSA-2rqw-v265-jf8c |
URL Redirection to Untrusted Site ('Open Redirect') A possible open redirect vulnerability in the Host Authorization middleware in Action Pack >= 6.0.0 that could allow attackers to redirect users to a malicious website. |
Affected by 19 other vulnerabilities. |
|
VCID-1rxp-g9rz-4yb3
Aliases: CVE-2023-28120 GHSA-pj73-v5mw-pm9j GMS-2023-765 |
Possible XSS Security Vulnerability in SafeBuffer#bytesplice There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input. This vulnerability has been assigned the CVE identifier CVE-2023-28120. Versions Affected: All. Not affected: None Fixed Versions: 7.0.4.3, 6.1.7.3 # Impact ActiveSupport uses the SafeBuffer string subclass to tag strings as html_safe after they have been sanitized. When these strings are mutated, the tag is should be removed to mark them as no longer being html_safe. Ruby 3.2 introduced a new bytesplice method which ActiveSupport does not yet understand to be a mutation. Users on older versions of Ruby are likely unaffected. All users running an affected release and using bytesplice should either upgrade or use one of the workarounds immediately. # Workarounds Avoid calling bytesplice on a SafeBuffer (html_safe) string with untrusted user input. |
Affected by 19 other vulnerabilities. |
|
VCID-1x8k-t8mr-3fgp
Aliases: CVE-2021-44528 GHSA-qphc-hf5q-v8fc |
URL Redirection to Untrusted Site ('Open Redirect') A open redirect vulnerability exists in Action Pack >= 6.0.0 that could allow an attacker to craft a "X-Forwarded-Host" headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. |
Affected by 19 other vulnerabilities. |
|
VCID-2efj-tf8d-dfck
Aliases: CVE-2014-3514 GHSA-9rf5-jm6f-2fmm |
Strong Parameter bypass with create_with The `create_with` functionality in Active Record was implemented incorrectly and completely bypasses the strong parameter protection. |
Affected by 53 other vulnerabilities. |
|
VCID-31xv-z8c6-a7bg
Aliases: CVE-2020-15169 GHSA-cfjv-5498-mph5 |
XSS in Action View There is a potential Cross-Site Scripting (XSS) vulnerability in Action View's translation helpers. Views that allow the user to control the default (not found) value of the `t` and `translate` helpers could be susceptible to XSS attacks. ### Impact When an HTML-unsafe string is passed as the default for a missing translation key [named `html` or ending in `_html`](https://guides.rubyonrails.org/i18n.html#using-safe-html-translations), the default string is incorrectly marked as HTML-safe and not escaped. Vulnerable code may look like the following examples: ```erb <%# The welcome_html translation is not defined for the current locale: %> <%= t("welcome_html", default: untrusted_user_controlled_string) %> <%# Neither the title.html translation nor the missing.html translation is defined for the current locale: %> <%= t("title.html", default: [:"missing.html", untrusted_user_controlled_string]) %> ``` ### Patches Patched Rails versions, 6.0.3.3 and 5.2.4.4, are available from the normal locations. The patches have also been applied to the `master`, `6-0-stable`, and `5-2-stable` branches on GitHub. If you track any of these branches, you should update to the latest. To aid users who aren’t able to upgrade immediately, we’ve provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * [5-2-translate-helper-xss.patch](https://gist.github.com/georgeclaghorn/a466e103922ee81f24c32c9034089442#file-5-2-translate-helper-xss-patch) — patch for the 5.2 release series * [6-0-translate-helper-xss.patch](https://gist.github.com/georgeclaghorn/a466e103922ee81f24c32c9034089442#file-6-0-translate-helper-xss-patch) — patch for the 6.0 release series Please note that only the 5.2 and 6.0 release series are currently supported. Users of earlier, unsupported releases are advised to update as soon as possible, as we cannot provide security fixes for unsupported releases. ### Workarounds Impacted users who can’t upgrade to a patched Rails version can avoid this issue by manually escaping default translations with the `html_escape` helper (aliased as `h`): ```erb <%= t("welcome_html", default: h(untrusted_user_controlled_string)) %> ``` |
Affected by 35 other vulnerabilities. Affected by 19 other vulnerabilities. |
|
VCID-333w-aacz-mfcr
Aliases: CVE-2014-7829 GHSA-h56m-vwxc-3qpw |
Arbitrary file existence disclosure Specially crafted requests can be used to determine whether a file exists on the filesystem that is outside the Rails application's root directory. The files will not be served, but attackers can determine whether the file exists. This only impacts Rails applications that enable static file serving at runtime. For example, the application's production configuration will say: `config.serve_static_assets = true` |
Affected by 53 other vulnerabilities. |
|
VCID-3hur-esmy-x3hr
Aliases: CVE-2024-47888 GHSA-wwhv-wxv9-rpgw |
Possible ReDoS vulnerability in plain_text_for_blockquote_node in Action Text There is a possible ReDoS vulnerability in the plain_text_for_blockquote_node helper in Action Text. This vulnerability has been assigned the CVE identifier CVE-2024-47888. Impact ------ Carefully crafted text can cause the plain_text_for_blockquote_node helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- Users can avoid calling `plain_text_for_blockquote_node` or upgrade to Ruby 3.2 Credits ------- Thanks to [ooooooo_q](https://hackerone.com/ooooooo_q) for the report! |
Affected by 8 other vulnerabilities. |
|
VCID-3m2y-wy1w-n7h1
Aliases: CVE-2014-3483 GHSA-r8fh-hq2p-7qhq OSV-108665 |
SQL Injection Vulnerabilities Affecting PostgreSQL SQLi vulnerability in activerecord. |
Affected by 53 other vulnerabilities. |
|
VCID-5qu2-b8gt-7qe3
Aliases: CVE-2021-22880 GHSA-8hc4-xxm3-5ppp |
Active Record subject to Regular Expression Denial-of-Service (ReDoS) The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the `money` type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack. This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input. |
Affected by 35 other vulnerabilities. Affected by 19 other vulnerabilities. |
|
VCID-5x54-hckg-x7b8
Aliases: CVE-2018-16477 GHSA-7rr7-rcjw-56vj |
Exposure of Sensitive Information to an Unauthorized Actor A bypass vulnerability in Active Storage for Google Cloud Storage and Disk services allow an attacker to modify the `content-disposition` and `content-type` parameters which can be used in with HTML files and have them executed inline. Additionally, if combined with other techniques such as cookie bombing and specially crafted AppCache manifests, an attacker can gain access to private signed URLs within a specific storage path. This vulnerability has been fixed |
Affected by 35 other vulnerabilities. |
|
VCID-63gy-6njy-kbd8
Aliases: CVE-2023-22792 GHSA-p84v-45xj-wwqj GMS-2023-58 |
ReDoS based DoS vulnerability in Action Dispatch There is a possible regular expression based DoS vulnerability in Action Dispatch. Specially crafted cookies, in combination with a specially crafted `X_FORWARDED_HOST` header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately. |
Affected by 19 other vulnerabilities. |
|
VCID-6ku5-mtgz-zygw
Aliases: CVE-2023-22796 GHSA-j6gc-792m-qgm2 GMS-2023-61 |
Duplicate This advisory duplicates another. |
Affected by 19 other vulnerabilities. |
|
VCID-6pxd-xsaw-tuer
Aliases: CVE-2023-38037 GHSA-cr5q-6q9f-rq6q |
Active Support Possibly Discloses Locally Encrypted Files There is a possible file disclosure of locally encrypted files in Active Support. This vulnerability has been assigned the CVE identifier CVE-2023-38037. Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.0.7.1, 6.1.7.5 |
Affected by 8 other vulnerabilities. |
|
VCID-6yr6-a21g-dyf5
Aliases: CVE-2018-16476 GHSA-q2qw-rmrh-vv42 |
Deserialization of Untrusted Data A Broken Access Control vulnerability in Active Job |
Affected by 35 other vulnerabilities. |
|
VCID-86jq-2md2-d7ah
Aliases: CVE-2016-6316 GHSA-pc3m-v286-2jwj |
Possible XSS Vulnerability in ActionView There is a possible XSS vulnerability in Action View. Text declared as `HTML safe` will not have quotes escaped when used as attribute values in tag helpers. |
Affected by 53 other vulnerabilities. Affected by 41 other vulnerabilities. |
|
VCID-895a-ydc5-zfg6
Aliases: CVE-2020-8162 GHSA-m42x-37p3-fv5w |
Circumvention of file size limits in ActiveStorage There is a vulnerability in ActiveStorage's S3 adapter that allows the Content-Length of a direct file upload to be modified by an end user. Versions Affected: rails < 5.2.4.2, rails < 6.0.3.1 Not affected: Applications that do not use the direct upload functionality of the ActiveStorage S3 adapter. Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1 Impact ------ Utilizing this vulnerability, an attacker can control the Content-Length of an S3 direct upload URL without receiving a new signature from the server. This could be used to bypass controls in place on the server to limit upload size. Workarounds ----------- This is a low-severity security issue. As such, no workaround is necessarily until such time as the application can be upgraded. |
Affected by 35 other vulnerabilities. Affected by 19 other vulnerabilities. |
|
VCID-8dad-dvat-1fg4
Aliases: CVE-2019-5418 GHSA-86g5-2wh3-gc9j |
Path Traversal in Action View # File Content Disclosure in Action View Impact ------ There is a possible file content disclosure vulnerability in Action View. Specially crafted accept headers in combination with calls to `render file:` can cause arbitrary files on the target server to be rendered, disclosing the file contents. The impact is limited to calls to `render` which render file contents without a specified accept format. Impacted code in a controller looks something like this: ``` ruby class UserController < ApplicationController def index render file: "#{Rails.root}/some/file" end end ``` Rendering templates as opposed to files is not impacted by this vulnerability. All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, and 4.2.11.1 releases are available at the normal locations. Workarounds ----------- This vulnerability can be mitigated by specifying a format for file rendering, like this: ``` ruby class UserController < ApplicationController def index render file: "#{Rails.root}/some/file", formats: [:html] end end ``` In summary, impacted calls to `render` look like this: ``` render file: "#{Rails.root}/some/file" ``` The vulnerability can be mitigated by changing to this: ``` render file: "#{Rails.root}/some/file", formats: [:html] ``` Other calls to `render` are not impacted. Alternatively, the following monkey patch can be applied in an initializer: ``` ruby $ cat config/initializers/formats_filter.rb # frozen_string_literal: true ActionDispatch::Request.prepend(Module.new do def formats super().select do |format| format.symbol || format.ref == "*/*" end end end) ``` Credits ------- Thanks to John Hawthorn <john@hawthorn.email> of GitHub |
Affected by 35 other vulnerabilities. |
|
VCID-9hq5-3usy-5fhq
Aliases: CVE-2016-0751 GHSA-ffpv-c4hm-3x6v |
Possible Object Leak and Denial of Service attack A carefully crafted `Accept` header can cause a global cache of mime types to grow indefinitely which can lead to a possible denial of service attack in Action Pack. |
Affected by 53 other vulnerabilities. Affected by 41 other vulnerabilities. |
|
VCID-9t7a-muwx-zyee
Aliases: CVE-2016-6317 GHSA-pr3r-4wrp-r2pv |
Improper Access Control The Rails gem does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing `WHERE` clauses via a crafted request. |
Affected by 41 other vulnerabilities. |
|
VCID-a6sp-18av-wya6
Aliases: CVE-2020-8164 GHSA-8727-m6gj-mc37 |
Possible Strong Parameters Bypass in ActionPack There is a strong parameters bypass vector in ActionPack. Versions Affected: rails <= 6.0.3 Not affected: rails < 5.0.0 Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1 Impact ------ In some cases user supplied information can be inadvertently leaked from Strong Parameters. Specifically the return value of `each`, or `each_value`, or `each_pair` will return the underlying "untrusted" hash of data that was read from the parameters. Applications that use this return value may be inadvertently use untrusted user input. Impacted code will look something like this: ``` def update # Attacker has included the parameter: `{ is_admin: true }` User.update(clean_up_params) end def clean_up_params params.each { |k, v| SomeModel.check(v) if k == :name } end ``` Note the mistaken use of `each` in the `clean_up_params` method in the above example. Workarounds ----------- Do not use the return values of `each`, `each_value`, or `each_pair` in your application. |
Affected by 35 other vulnerabilities. Affected by 19 other vulnerabilities. |
|
VCID-bjwf-uhyk-63aj
Aliases: CVE-2015-7576 GHSA-p692-7mm3-3fxg |
Timing attack vulnerability in basic authentication Due to the way that Action Controller compares user names and passwords in basic authentication authorization code, it is possible for an attacker to analyze the time taken by a response and intuit the password. You can tell you application is vulnerable to this attack by looking for `http_basic_authenticate_with` method calls in your application. |
Affected by 53 other vulnerabilities. Affected by 41 other vulnerabilities. |
|
VCID-c8b5-d83n-nuhw
Aliases: CVE-2019-5419 GHSA-m63j-wh5w-c252 |
Allocation of Resources Without Limits or Throttling There is a possible denial of service vulnerability in Action View (Rails) where specially crafted accept headers can cause action view to consume % cpu and make the server unresponsive. |
Affected by 35 other vulnerabilities. |
|
VCID-ce39-j83r-6ug9
Aliases: CVE-2022-22577 GHSA-mm33-5vfq-3mm3 GMS-2022-1137 |
Duplicate This advisory duplicates another. |
Affected by 19 other vulnerabilities. |
|
VCID-d15q-6ukb-wfff
Aliases: CVE-2015-7581 GHSA-9h6g-gp95-x3q5 |
Object leak vulnerability for wildcard controller routes Users that have a route that contains the string `:controller` are susceptible to objects being leaked globally which can lead to unbounded memory growth. To identify if your application is vulnerable, look for routes that contain `:controller`. |
Affected by 53 other vulnerabilities. Affected by 41 other vulnerabilities. |
|
VCID-dd9p-x7k3-37ea
Aliases: CVE-2023-28362 GHSA-4g8v-vg43-wpgf |
Actionpack has possible cross-site scripting vulnerability via User Supplied Values to redirect_to The `redirect_to` method in Rails allows provided values to contain characters which are not legal in an HTTP header value. This results in the potential for downstream services which enforce RFC compliance on HTTP response headers to remove the assigned Location header. This vulnerability has been assigned the CVE identifier CVE-2023-28362. Versions Affected: All. Not affected: None Fixed Versions: 7.0.5.1, 6.1.7.4 |
Affected by 8 other vulnerabilities. |
|
VCID-drg6-gj1f-h7ea
Aliases: CVE-2022-21831 GHSA-w749-p3v6-hccq GMS-2022-301 |
Duplicate This advisory duplicates another. |
Affected by 19 other vulnerabilities. |
|
VCID-ed3f-3bxh-eba4
Aliases: CVE-2015-3227 GHSA-j96r-xvjq-r9pg |
activesupport vulnerable to Denial of Service via large XML document depth The (1) `jdom.rb` and (2) `rexml.rb` components in Active Support in Ruby on Rails before 3.2.22, 4.1.x before 4.1.11, and 4.2.x before 4.2.2, when JDOM or REXML is enabled, allow remote attackers to cause a denial of service (SystemStackError) via a large XML document depth. |
Affected by 53 other vulnerabilities. Affected by 41 other vulnerabilities. |
|
VCID-es1t-7196-4kbb
Aliases: CVE-2020-8167 GHSA-xq5j-gw7f-jgj8 |
CSRF Vulnerability in rails-ujs There is a vulnerability in rails-ujs that allows attackers to send CSRF tokens to wrong domains. Versions Affected: rails <= 6.0.3 Not affected: Applications which don't use rails-ujs. Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1 Impact ------ This is a regression of CVE-2015-1840. In the scenario where an attacker might be able to control the href attribute of an anchor tag or the action attribute of a form tag that will trigger a POST action, the attacker can set the href or action to a cross-origin URL, and the CSRF token will be sent. Workarounds ----------- To work around this problem, change code that allows users to control the href attribute of an anchor tag or the action attribute of a form tag to filter the user parameters. For example, code like this: link_to params to code like this: link_to filtered_params def filtered_params # Filter just the parameters that you trust end |
Affected by 35 other vulnerabilities. Affected by 19 other vulnerabilities. |
|
VCID-g3rk-djae-pkeh
Aliases: CVE-2024-54133 GHSA-vfm5-rmrh-j26v |
Possible Content Security Policy bypass in Action Dispatch There is a possible Cross Site Scripting (XSS) vulnerability in the `content_security_policy` helper in Action Pack. Impact ------ Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- Applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input. Credits ------- Thanks to [ryotak](https://hackerone.com/ryotak) for the report! |
Affected by 8 other vulnerabilities. |
|
VCID-g5q6-7uav-sqh1
Aliases: CVE-2020-8163 GHSA-cr3x-7m39-c6jq |
Remote code execution via user-provided local names in ActionView The is a code injection vulnerability in versions of Rails prior to 5.0.1 that would allow an attacker who controlled the `locals` argument of a `render` call to perform a RCE. |
Affected by 35 other vulnerabilities. |
|
VCID-gjey-bqtd-kqa1
Aliases: CVE-2021-22885 GHSA-hjg4-8q5f-x6fm |
Action Pack contains Information Disclosure / Unintended Method Execution vulnerability Impact ------ There is a possible information disclosure / unintended method execution vulnerability in Action Pack when using the `redirect_to` or `polymorphic_url` helper with untrusted user input. Vulnerable code will look like this. ``` redirect_to(params[:some_param]) ``` All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The FIXED releases are available at the normal locations. Workarounds ----------- To work around this problem, it is recommended to use an allow list for valid parameters passed from the user. For example, ```ruby private def check(param) case param when "valid" param else "/" end end def index redirect_to(check(params[:some_param])) end ``` Or force the user input to be cast to a string like this, ```ruby def index redirect_to(params[:some_param].to_s) end ``` Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 5-2-information-disclosure.patch - Patch for 5.2 series * 6-0-information-disclosure.patch - Patch for 6.0 series * 6-1-information-disclosure.patch - Patch for 6.1 series Please note that only the 5.2, 6.0, and 6.1 series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. Credits ------- Thanks to Benoit Côté-Jodoin from Shopify for reporting this. |
Affected by 35 other vulnerabilities. Affected by 19 other vulnerabilities. |
|
VCID-hppf-a715-r7b2
Aliases: CVE-2023-22795 GHSA-8xww-x3g3-6jcv GMS-2023-56 |
ReDoS based DoS vulnerability in Action Dispatch There is a possible regular expression based DoS vulnerability in Action Dispatch related to the If-None-Match header. This vulnerability has been assigned the CVE identifier CVE-2023-22795. A specially crafted HTTP `If-None-Match` header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately. |
Affected by 19 other vulnerabilities. |
|
VCID-jwun-grgg-2uet
Aliases: CVE-2022-23633 CVE-2022-23634 GHSA-rmj8-8hhh-gv5h GHSA-wh98-p28r-vrc9 |
Exposure of information in Action Pack Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests. This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used. |
Affected by 19 other vulnerabilities. |
|
VCID-mnkw-23eu-bkgc
Aliases: CVE-2020-8166 GHSA-jp5v-5gx4-jmj9 |
Ability to forge per-form CSRF tokens in Rails It is possible to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token for any action for that session. Impact ------ Given the ability to extract the global CSRF token, an attacker would be able to construct a per-form CSRF token for that session. Workarounds ----------- This is a low-severity security issue. As such, no workaround is necessarily until such time as the application can be upgraded. |
Affected by 35 other vulnerabilities. Affected by 19 other vulnerabilities. |
|
VCID-p5mc-r1rg-5ff7
Aliases: CVE-2022-27777 GHSA-ch3h-j2vf-95pv GMS-2022-1138 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in actionview. |
Affected by 19 other vulnerabilities. |
|
VCID-pb5f-g4uc-r7fp
Aliases: CVE-2016-0753 GHSA-543v-gj2c-r3ch |
Possible Input Validation Circumvention Code that uses Active Model based models (including Active Record models) and does not validate user input before passing it to the model can be subject to an attack where specially crafted input will cause the model to skip validations. Rails users using Strong Parameters are generally not impacted by this issue as they are encouraged to allow parameters and must specifically opt-out of input verification using the `permit!` method to allow mass assignment. |
Affected by 53 other vulnerabilities. Affected by 41 other vulnerabilities. |
|
VCID-s5ah-tf63-a7cw
Aliases: CVE-2016-2098 GHSA-78rc-8c29-p45g |
Improper Input Validation The Rails gem allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method. |
Affected by 53 other vulnerabilities. Affected by 41 other vulnerabilities. |
|
VCID-sb9g-rdnm-rqbm
Aliases: CVE-2014-3482 GHSA-mhwp-qhpc-h3jm OSV-108664 |
SQL Injection in Active Record SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 2.x and 3.x before 3.2.19 allows remote attackers to execute arbitrary SQL commands by leveraging improper bitstring quoting. |
Affected by 53 other vulnerabilities. |
|
VCID-sfyc-jewr-wuf5
Aliases: CVE-2024-47887 GHSA-vfg9-r3fq-jvx4 |
Possible ReDoS vulnerability in HTTP Token authentication in Action Controller There is a possible ReDoS vulnerability in Action Controller's HTTP Token authentication. This vulnerability has been assigned the CVE identifier CVE-2024-47887. Impact ------ For applications using HTTP Token authentication via `authenticate_or_request_with_http_token` or similar, a carefully crafted header may cause header parsing to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- Users on Ruby 3.2 are unaffected by this issue. Credits ------- Thanks to [scyoon](https://hackerone.com/scyoon) for reporting |
Affected by 8 other vulnerabilities. |
|
VCID-sgdb-985e-4uej
Aliases: CVE-2024-41128 GHSA-x76w-6vjr-8xgj |
Possible ReDoS vulnerability in query parameter filtering in Action Dispatch There is a possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2024-41128. Impact ------ Carefully crafted query parameters can cause query parameter filtering to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- Users on Ruby 3.2 are unaffected by this issue. Credits ------- Thanks to [scyoon](https://hackerone.com/scyoon) for the report and patches! |
Affected by 8 other vulnerabilities. |
|
VCID-sygb-mygd-s3gb
Aliases: CVE-2022-44566 GHSA-579w-22j4-4749 GMS-2023-59 |
Duplicate This advisory duplicates another. |
Affected by 8 other vulnerabilities. |
|
VCID-t2cx-7ycd-tqhq
Aliases: CVE-2015-3226 GHSA-vxvp-4xwc-jpp6 |
activesupport Cross-site Scripting vulnerability Cross-site scripting (XSS) vulnerability in `json/encoding.rb` in Active Support in Ruby on Rails 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted Hash that is mishandled during JSON encoding. |
Affected by 53 other vulnerabilities. Affected by 41 other vulnerabilities. |
|
VCID-t684-yp58-hkg8
Aliases: CVE-2020-8165 GHSA-2p68-f74v-9wc6 |
ActiveSupport potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore In ActiveSupport, there is potentially unexpected behaviour in the MemCacheStore and RedisCacheStore where, when untrusted user input is written to the cache store using the `raw: true` parameter, re-reading the result from the cache can evaluate the user input as a Marshalled object instead of plain text. Vulnerable code looks like: ``` data = cache.fetch("demo", raw: true) { untrusted_string } ``` Versions Affected: rails < 5.2.5, rails < 6.0.4 Not affected: Applications not using MemCacheStore or RedisCacheStore. Applications that do not use the `raw` option when storing untrusted user input. Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1 Impact ------ Unmarshalling of untrusted user input can have impact up to and including RCE. At a minimum, this vulnerability allows an attacker to inject untrusted Ruby objects into a web application. In addition to upgrading to the latest versions of Rails, developers should ensure that whenever they are calling `Rails.cache.fetch` they are using consistent values of the `raw` parameter for both reading and writing, especially in the case of the RedisCacheStore which does not, prior to these changes, detect if data was serialized using the raw option upon deserialization. Workarounds ----------- It is recommended that application developers apply the suggested patch or upgrade to the latest release as soon as possible. If this is not possible, we recommend ensuring that all user-provided strings cached using the `raw` argument should be double-checked to ensure that they conform to the expected format. |
Affected by 35 other vulnerabilities. Affected by 19 other vulnerabilities. |
|
VCID-t9yh-ss8z-e3cb
Aliases: CVE-2023-22794 GHSA-hq7p-j377-6v63 GMS-2023-60 |
Duplicate This advisory duplicates another. |
Affected by 19 other vulnerabilities. |
|
VCID-thx6-usb2-kkgc
Aliases: CVE-2015-7577 GHSA-xrr6-3pc4-m447 |
Nested attributes rejection proc bypass When using the nested attributes feature in Active Record you can prevent the destruction of associated records by passing the `allow_destroy: false` option to the `accepts_nested_attributes_for` method. The `allow_destroy` flag prevents the `:reject_if` proc from being called because it assumes that the record will be destroyed anyway. However, this is not true if `:allow_destroy` is false so this leads to changes that would have been rejected being applied to the record. Attackers could set attributes to invalid values or clear all the attributes. |
Affected by 53 other vulnerabilities. Affected by 41 other vulnerabilities. |
|
VCID-v3r3-bwp5-a3bn
Aliases: CVE-2016-0752 GHSA-xrr4-p6fq-hjg7 |
Path Traversal The Rails gem allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a `..` in a pathname. |
Affected by 53 other vulnerabilities. Affected by 41 other vulnerabilities. |
|
VCID-v9mt-t1pb-hybk
Aliases: CVE-2020-5267 GHSA-65cv-r6x7-79hv |
Cross site scripting vulnerability in ActionView There is a possible cross site scripting (XSS) vulnerability in ActionView's JavaScript literal escape helpers. Views that use the `j` or `escape_javascript` methods may be susceptible to XSS attacks. ### Impact There is a possible XSS vulnerability in the `j` and `escape_javascript` methods in ActionView. These methods are used for escaping JavaScript string literals. Impacted code will look something like this: ```erb <script>let a = `<%= j unknown_input %>`</script> ``` or ```erb <script>let a = `<%= escape_javascript unknown_input %>`</script> ``` ### Releases The 6.0.2.2 and 5.2.4.2 releases are available at the normal locations. ### Workarounds For those that can't upgrade, the following monkey patch may be used: ```ruby ActionView::Helpers::JavaScriptHelper::JS_ESCAPE_MAP.merge!( { "`" => "\\`", "$" => "\\$" } ) module ActionView::Helpers::JavaScriptHelper alias :old_ej :escape_javascript alias :old_j :j def escape_javascript(javascript) javascript = javascript.to_s if javascript.empty? result = "" else result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"']|[`]|[$])/u, JS_ESCAPE_MAP) end javascript.html_safe? ? result.html_safe : result end alias :j :escape_javascript end ``` ### Patches To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * [5-2-js-helper-xss.patch](https://gist.github.com/tenderlove/c042ff49f0347c37e99183a6502accc6#file-5-2-js-helper-xss-patch) - Patch for 5.2 series * [6-0-js-helper-xss.patch](https://gist.github.com/tenderlove/c042ff49f0347c37e99183a6502accc6#file-6-0-js-helper-xss-patch) - Patch for 6.0 series Please note that only the 5.2 and 6.0 series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. ### Credits Thanks to Jesse Campos from Chef Secure |
Affected by 19 other vulnerabilities. |
|
VCID-wg3a-j2dp-ayh4
Aliases: CVE-2021-22904 GHSA-7wjx-3g7j-8584 |
Possible DoS Vulnerability in Action Controller Token Authentication There is a possible DoS vulnerability in the Token Authentication logic in Action Controller. Versions Affected: >= 4.0.0 Not affected: < 4.0.0 Fixed Versions: 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6 Impact ------ Impacted code uses `authenticate_or_request_with_http_token` or `authenticate_with_http_token` for request authentication. Impacted code will look something like this: ``` class PostsController < ApplicationController before_action :authenticate private def authenticate authenticate_or_request_with_http_token do |token, options| # ... end end end ``` All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- The following monkey patch placed in an initializer can be used to work around the issue: ```ruby module ActionController::HttpAuthentication::Token AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/ end ``` Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 5-2-http-authentication-dos.patch - Patch for 5.2 series * 6-0-http-authentication-dos.patch - Patch for 6.0 series * 6-1-http-authentication-dos.patch - Patch for 6.1 series Please note that only the 6.1.Z, 6.0.Z, and 5.2.Z series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. Credits ------- Thank you to https://hackerone.com/wonda_tea_coffee for reporting this issue! |
Affected by 35 other vulnerabilities. Affected by 19 other vulnerabilities. |
|
VCID-wyy6-h8bq-vyde
Aliases: CVE-2021-22902 GHSA-g8ww-46x2-2p65 |
Denial of Service in Action Dispatch Impact ------ There is a possible Denial of Service vulnerability in Action Dispatch. Carefully crafted Accept headers can cause the mime type parser in Action Dispatch to do catastrophic backtracking in the regular expression engine. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- The following monkey patch placed in an initializer can be used to work around the issue. ```ruby module Mime class Type MIME_REGEXP = /\A(?:\*\/\*|#{MIME_NAME}\/(?:\*|#{MIME_NAME})(?>\s*#{MIME_PARAMETER}\s*)*)\z/ end end ``` Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 6-0-Prevent-catastrophic-backtracking-during-mime-parsin.patch - Patch for 6.0 series * 6-1-Prevent-catastrophic-backtracking-during-mime-parsin.patch - Patch for 6.1 series Please note that only the 6.1.Z, 6.0.Z, and 5.2.Z series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. Credits ------- Thanks to Security Curious <security...@pm.me> for reporting this! |
Affected by 19 other vulnerabilities. |
|
VCID-yy6t-ybeu-qycc
Aliases: CVE-2024-47889 GHSA-h47h-mwp9-c6q6 |
Possible ReDoS vulnerability in block_format in Action Mailer There is a possible ReDoS vulnerability in the block_format helper in Action Mailer. This vulnerability has been assigned the CVE identifier CVE-2024-47889. Impact ------ Carefully crafted text can cause the block_format helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 requires Ruby 3.2 or greater so is unaffected. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- Users can avoid calling the `block_format` helper or upgrade to Ruby 3.2 Credits ------- Thanks to yuki_osaki for the report! |
Affected by 8 other vulnerabilities. |
|
VCID-yzpx-3gam-y3bu
Aliases: CVE-2025-24293 GHSA-r4mg-4433-c7g3 |
Active Storage allowed transformation methods that were potentially unsafe Active Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default. The default allowed list contains three methods allowing for the circumvention of the safe defaults which enables potential command injection vulnerabilities in cases where arbitrary user supplied input is accepted as valid transformation methods or parameters. This has been assigned the CVE identifier CVE-2025-24293. Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.1.5.2, 7.2.2.2, 8.0.2.1 Impact ------ This vulnerability impacts applications that use Active Storage with the image_processing processing gem in addition to mini_magick as the image processor. Vulnerable code will look something similar to this: ``` <%= image_tag blob.variant(params[:t] => params[:v]) %> ``` Where the transformation method or its arguments are untrusted arbitrary input. All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- Consuming user supplied input for image transformation methods or their parameters is unsupported behavior and should be considered dangerous. Strict validation of user supplied methods and parameters should be performed as well as having a strong [ImageMagick security policy](https://imagemagick.org/script/security-policy.php) deployed. Credits ------- Thank you [lio346](https://hackerone.com/lio346) from Unit 515 of OPSWAT for reporting this! |
Affected by 8 other vulnerabilities. |
|
VCID-z1jv-4ga2-7kd1
Aliases: CVE-2016-2097 GHSA-vx9j-46rh-fqr8 |
Possible Information Leak Vulnerability Applications that pass unverified user input to the `render` method in a controller may be vulnerable to an information leak vulnerability. Impacted code will look something like this: ``` def index; render params[:id]; end ``` Carefully crafted requests can cause the above code to render files from unexpected places like outside the application's view directory, and can possibly escalate this to a remote code execution attack. |
Affected by 53 other vulnerabilities. Affected by 41 other vulnerabilities. |
|
VCID-zkvd-bfd6-t7dg
Aliases: CVE-2014-7818 GHSA-29gr-w57f-rpfw |
Arbitrary file existence disclosure Specially crafted requests can be used to determine whether a file exists on the filesystem that is outside the Rails application's root directory. The files will not be served, but attackers can determine whether the file exists. This only impacts Rails applications that enable static file serving at runtime. For example, the application's production configuration will say: `config.serve_static_assets = true` |
Affected by 53 other vulnerabilities. |
|
VCID-zqzx-avvt-wkhm
Aliases: CVE-2025-55193 GHSA-76r7-hhxj-r776 |
Active Record logging vulnerable to ANSI escape injection This vulnerability has been assigned the CVE identifier CVE-2025-55193 ### Impact The ID passed to `find` or similar methods may be logged without escaping. If this is directly to the terminal it may include unescaped ANSI sequences. ### Releases The fixed releases are available at the normal locations. ### Credits Thanks to [lio346](https://hackerone.com/lio346) from Unit 515 of OPSWAT for reporting this vulnerability |
Affected by 8 other vulnerabilities. |
|
VCID-zy7d-3db6-sydw
Aliases: CVE-2020-8264 GHSA-35mm-cc6r-8fjp |
Cross-site scripting in actionpack In actionpack gem >= 6.0.0, a possible XSS vulnerability exists when an application is running in development mode allowing an attacker to send or embed (in another page) a specially crafted URL which can allow the attacker to execute JavaScript in the context of the local application. This vulnerability is in the Actionable Exceptions middleware. Workarounds ----------- Until such time as the patch can be applied, application developers should disable the Actionable Exceptions middleware in their development environment via a line such as this one in their config/environment/development.rb: `config.middleware.delete ActionDispatch::ActionableExceptions` |
Affected by 19 other vulnerabilities. |
|
VCID-zydu-j9dg-fqdb
Aliases: CVE-2019-5420 GHSA-m42h-mh85-4qgc |
Improper Input Validation A remote code execution vulnerability in development mode Rails can allow an attacker to guess the automatically generated development mode secret token. This secret token can be used in combination with other Rails internals to escalate to a remote code execution exploit. |
Affected by 35 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-1rgy-k7a9-m7au | XSS via posted select tag options Ruby on Rails is vulnerable to remote cross-site scripting because the application does not validate manually generated `select tag options` upon submission to `actionpack/lib/action_view/helpers/form_options_helper.rb`. This may allow a user to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server. |
CVE-2012-1099
GHSA-2xjj-5x6h-8vmf OSV-79727 |
| VCID-3wtf-uu89-2qe5 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage, or (c) number_to_human helper. |
CVE-2014-0081
GHSA-m46p-ggm5-5j83 OSV-103439 |
| VCID-43f3-rxwm-fkgv | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails 2.x before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a malformed Unicode string, related to a "UTF-8 escaping vulnerability." |
CVE-2011-2932
GHSA-9fh3-vh3h-q4g3 |
| VCID-49pq-vg95-jkh2 | Cross-Site Request Forgery (CSRF) Ruby on Rails 2.1.x, 2.2.x, and 2.3.x before 2.3.11, and 3.x before 3.0.4, does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged (1) AJAX or (2) API requests that leverage "combinations of browser plugins and HTTP redirects," a related issue to CVE-2011-0696. |
CVE-2011-0447
GHSA-24fg-p96v-hxh8 |
| VCID-4cky-r218-dkbb | activerecord vulnerable to SQL Injection Multiple SQL injection vulnerabilities in the `quote_table_name` method in the ActiveRecord adapters in `activerecord/lib/active_record/connection_adapters/` in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow remote attackers to execute arbitrary SQL commands via a crafted column name. |
CVE-2011-2930
GHSA-h6w6-xmqv-7q78 |
| VCID-4epw-vk25-mfdw | XSS vulnerability in sanitize_css in Action Pack Carefully crafted text can bypass the sanitization provided in the `sanitize_css` method in Action Pack. |
CVE-2013-1855
GHSA-q759-hwvc-m3jg OSV-91452 |
| VCID-4he5-y1u4-gkd2 | XSS Vulnerability in the `sanitize` helper The `sanitize` helper in Ruby on Rails is designed to filter HTML and remove all tags and attributes which could be malicious. |
CVE-2013-1857
GHSA-j838-vfpq-fmf2 OSV-91454 |
| VCID-ca7u-t1y4-uuc7 | Vulnerability in JSON Parser in Ruby on Rails 3.0 and 2.3 There is a vulnerability in the JSON code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application. |
CVE-2013-0333
GHSA-xgr2-v94m-rc9g OSV-89594 |
| VCID-carc-ntrd-ebfe | Multiple vulnerabilities in parameter parsing in Action Pack There are multiple weaknesses in the parameter parsing code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application. |
CVE-2013-0156
GHSA-jmgw-6vjg-jjwg OSV-89026 |
| VCID-cnqr-6e98-5kgk | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Multiple cross-site scripting (XSS) vulnerabilities in the mail_to helper in Ruby on Rails before 2.3.11, and 3.x before 3.0.4, when javascript encoding is used, allow remote attackers to inject arbitrary web script or HTML via a crafted (1) name or (2) email value. |
CVE-2011-0446
GHSA-75w6-p6mg-vh8j |
| VCID-cwa7-9d2t-rfhb | actionpack Cross-site Scripting vulnerability Cross-site scripting (XSS) vulnerability in `actionpack/lib/action_view/helpers/sanitize_helper.rb` in the `strip_tags` helper in Ruby on Rails before 2.3.16, 3.0.x before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via malformed HTML markup. |
CVE-2012-3465
GHSA-7g65-ghrg-hpf5 OSV-84513 |
| VCID-eb5z-q7rj-j7hh | Active Record component in Ruby on Rails has a data-type injection vulnerability The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, and 3.2.x does not ensure that the declared data type of a database column is used during comparisons of input values to stored values in that column, which makes it easier for remote attackers to conduct data-type injection attacks against Ruby on Rails applications via a crafted value, as demonstrated by unintended interaction between the "typed XML" feature and a MySQL database. |
CVE-2013-3221
GHSA-f57c-hx33-hvh8 |
| VCID-hbtn-7423-m3gb | Circumvention of attr_protected The attr_protected method allows developers to specify a denylist of model attributes which users should not be allowed to assign to. By using a specially crafted request, attackers could circumvent this protection and alter values that were meant to be protected. |
CVE-2013-0276
GHSA-gr44-7grc-37vq OSV-90072 |
| VCID-hr2h-y693-sbgc | activesupport Cross-site Scripting vulnerability Cross-site scripting (XSS) vulnerability in `activesupport/lib/active_support/core_ext/string/output_safety.rb` in Ruby on Rails before 2.3.16, 3.0.x before , 3.1.x before 3.1.8, and 3.2.x before 3.2.8 might allow remote attackers to inject arbitrary web script or HTML via vectors involving a ' (quote) character. |
CVE-2012-3464
GHSA-h835-75hw-pj89 OSV-84516 |
| VCID-j7p8-hchp-xbe3 | Unsafe Query Generation Risk in Ruby on Rails Due to the way Active Record interprets parameters in combination with the way that JSON parameters are parsed, it is possible for an attacker to issue unexpected database queries with "IS NULL" or empty where clauses. This issue does *not* let an attacker insert arbitrary values into an SQL query, however they can cause the query to check for NULL or eliminate a WHERE clause when most users wouldn't expect it. |
CVE-2013-0155
GHSA-gppp-5xc5-wfpx OSV-89025 |
| VCID-kkbt-pr7u-f7gn | Active Record contains SQL Injection SQL injection vulnerability in the Active Record component in Ruby on Rails before 2.3.15, 3.0.x before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behavior of dynamic finders in applications that can use unexpected data types in certain find_by_ method calls. |
CVE-2012-6496
GHSA-gh2w-j7cx-2664 OSV-88661 |
| VCID-knsd-pv15-tydx | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting (XSS) vulnerability in the strip_tags helper in actionpack/lib/action_controller/vendor/html-scanner/html/node.rb in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a tag with an invalid name. |
CVE-2011-2931
GHSA-v5jg-558j-q67c |
| VCID-kr1b-uct1-7kf6 | Response Splitting Vulnerability in Ruby on Rails A response splitting flaw can allow a remote attacker to inject arbitrary HTTP headers into a response due to insufficient sanitization of the values provided for response content types. |
CVE-2011-3186
GHSA-fcqf-h4h4-695m OSV-74616 |
| VCID-mep3-6sub-ykdk | Denial of Service Vulnerability when using render :text Strings sent in specially crafted headers will be converted to symbols. |
CVE-2014-0082
GHSA-7cgp-c3g7-qvrw OSV-103440 |
| VCID-nk6g-hhsk-8kaw | Serialized Attributes YAML Vulnerability with Rails 2.3 and 3.0 There is a vulnerability in the serialized attribute handling code in Ruby on Rails, applications which allow users to directly assign to the serialized fields in their models are at risk of Denial of Service or Remote Code Execution vulnerabilities. |
CVE-2013-0277
GHSA-fhj9-cjjh-27vm OSV-90073 |
| VCID-sz4r-kjse-cbdd | Remote attacker can conduct SQL injection attacks Ruby on Rails contains a flaw in the Authlogic gem. The issue is triggered when the program makes an unsafe method call for find_by_id. With a specially crafted parameter in an environment that knows the secret_token value in secret_token.rb, a remote attacker to more easily conduct SQL injection attacks. |
CVE-2012-6497
GHSA-rx7j-mw4c-76g9 OSV-89064 |
| VCID-va9q-fjn6-yqee | Direct Manipulation XSS Ruby on Rails contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate direct manipulations of `SafeBuffer` objects via `'[]'` and other methods. This may allow a user to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server. |
CVE-2012-1098
GHSA-qv8p-v9qw-wc7g OSV-79726 |
| VCID-xa94-z6yu-skf8 | Symbol DoS vulnerability in Active Record When a hash is provided as the find value for a query, the keys of the hash may be converted to symbols. Carefully crafted requests can coerce `params[:name]` to return a hash, and the keys to that hash may be converted to symbols. All users running an affected release should either upgrade or use one of the work arounds immediately. |
CVE-2013-1854
GHSA-3crr-9vmg-864v OSV-91453 |