Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:ebuild/dev-ruby/rails@2.3.18
purl pkg:ebuild/dev-ruby/rails@2.3.18
Vulnerabilities affecting this package (0)
Vulnerability Summary Fixed by
This package is not known to be affected by vulnerabilities.
Vulnerabilities fixed by this package (19)
Vulnerability Summary Aliases
VCID-43f3-rxwm-fkgv Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails 2.x before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a malformed Unicode string, related to a "UTF-8 escaping vulnerability." CVE-2011-2932
GHSA-9fh3-vh3h-q4g3
VCID-49pq-vg95-jkh2 Cross-Site Request Forgery (CSRF) Ruby on Rails 2.1.x, 2.2.x, and 2.3.x before 2.3.11, and 3.x before 3.0.4, does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged (1) AJAX or (2) API requests that leverage "combinations of browser plugins and HTTP redirects," a related issue to CVE-2011-0696. CVE-2011-0447
GHSA-24fg-p96v-hxh8
VCID-4cky-r218-dkbb activerecord vulnerable to SQL Injection Multiple SQL injection vulnerabilities in the `quote_table_name` method in the ActiveRecord adapters in `activerecord/lib/active_record/connection_adapters/` in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow remote attackers to execute arbitrary SQL commands via a crafted column name. CVE-2011-2930
GHSA-h6w6-xmqv-7q78
VCID-4epw-vk25-mfdw XSS vulnerability in sanitize_css in Action Pack Carefully crafted text can bypass the sanitization provided in the `sanitize_css` method in Action Pack. CVE-2013-1855
GHSA-q759-hwvc-m3jg
OSV-91452
VCID-4he5-y1u4-gkd2 XSS Vulnerability in the `sanitize` helper The `sanitize` helper in Ruby on Rails is designed to filter HTML and remove all tags and attributes which could be malicious. CVE-2013-1857
GHSA-j838-vfpq-fmf2
OSV-91454
VCID-6j55-bstz-yybj High severity vulnerability that affects actionpack actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.4, when a case-insensitive filesystem is used, does not properly implement filters associated with the list of available templates, which allows remote attackers to bypass intended access restrictions via an action name that uses an unintended case for alphabetic characters. CVE-2011-0449
GHSA-4ww3-3rxj-8v6q
VCID-ca7u-t1y4-uuc7 Vulnerability in JSON Parser in Ruby on Rails 3.0 and 2.3 There is a vulnerability in the JSON code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application. CVE-2013-0333
GHSA-xgr2-v94m-rc9g
OSV-89594
VCID-carc-ntrd-ebfe Multiple vulnerabilities in parameter parsing in Action Pack There are multiple weaknesses in the parameter parsing code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application. CVE-2013-0156
GHSA-jmgw-6vjg-jjwg
OSV-89026
VCID-cnqr-6e98-5kgk Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Multiple cross-site scripting (XSS) vulnerabilities in the mail_to helper in Ruby on Rails before 2.3.11, and 3.x before 3.0.4, when javascript encoding is used, allow remote attackers to inject arbitrary web script or HTML via a crafted (1) name or (2) email value. CVE-2011-0446
GHSA-75w6-p6mg-vh8j
VCID-hbtn-7423-m3gb Circumvention of attr_protected The attr_protected method allows developers to specify a denylist of model attributes which users should not be allowed to assign to. By using a specially crafted request, attackers could circumvent this protection and alter values that were meant to be protected. CVE-2013-0276
GHSA-gr44-7grc-37vq
OSV-90072
VCID-hmp2-rmzv-wkhg Improper Input Validation The template selection functionality in actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.10 and 3.1.x before 3.1.0.rc6 does not properly handle glob characters, which allows remote attackers to render arbitrary views via a crafted URL, related to a "filter skipping vulnerability." CVE-2011-2929
GHSA-r7q2-5gqg-6c7q
VCID-j7p8-hchp-xbe3 Unsafe Query Generation Risk in Ruby on Rails Due to the way Active Record interprets parameters in combination with the way that JSON parameters are parsed, it is possible for an attacker to issue unexpected database queries with "IS NULL" or empty where clauses. This issue does *not* let an attacker insert arbitrary values into an SQL query, however they can cause the query to check for NULL or eliminate a WHERE clause when most users wouldn't expect it. CVE-2013-0155
GHSA-gppp-5xc5-wfpx
OSV-89025
VCID-j8zg-kq3z-jqcm Improper Input Validation Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs. CVE-2010-3933
GHSA-gjxw-5w2q-7grf
VCID-knsd-pv15-tydx Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting (XSS) vulnerability in the strip_tags helper in actionpack/lib/action_controller/vendor/html-scanner/html/node.rb in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a tag with an invalid name. CVE-2011-2931
GHSA-v5jg-558j-q67c
VCID-kr1b-uct1-7kf6 Response Splitting Vulnerability in Ruby on Rails A response splitting flaw can allow a remote attacker to inject arbitrary HTTP headers into a response due to insufficient sanitization of the values provided for response content types. CVE-2011-3186
GHSA-fcqf-h4h4-695m
OSV-74616
VCID-nk6g-hhsk-8kaw Serialized Attributes YAML Vulnerability with Rails 2.3 and 3.0 There is a vulnerability in the serialized attribute handling code in Ruby on Rails, applications which allow users to directly assign to the serialized fields in their models are at risk of Denial of Service or Remote Code Execution vulnerabilities. CVE-2013-0277
GHSA-fhj9-cjjh-27vm
OSV-90073
VCID-uudj-r63z-kban XML Parsing Vulnerability affecting JRuby users There is a vulnerability in the JDOM backend to ActiveSupport's XML parser. you should upgrade or use one of the work arounds immediately. CVE-2013-1856
GHSA-9c2j-593q-3g82
OSV-91451
VCID-xa94-z6yu-skf8 Symbol DoS vulnerability in Active Record When a hash is provided as the find value for a query, the keys of the hash may be converted to symbols. Carefully crafted requests can coerce `params[:name]` to return a hash, and the keys to that hash may be converted to symbols. All users running an affected release should either upgrade or use one of the work arounds immediately. CVE-2013-1854
GHSA-3crr-9vmg-864v
OSV-91453
VCID-y54w-a8kr-suhy Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Ruby on Rails 3.0.x before 3.0.4 does not ensure that arguments to the limit function specify integer values, which makes it easier for remote attackers to conduct SQL injection attacks via a non-numeric argument. CVE-2011-0448
GHSA-jmm9-2p29-vh2w

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-01T13:01:41.754430+00:00 Gentoo Importer Fixing VCID-4he5-y1u4-gkd2 https://security.gentoo.org/glsa/201412-28 38.0.0
2026-04-01T13:01:41.746073+00:00 Gentoo Importer Fixing VCID-uudj-r63z-kban https://security.gentoo.org/glsa/201412-28 38.0.0
2026-04-01T13:01:41.736942+00:00 Gentoo Importer Fixing VCID-4epw-vk25-mfdw https://security.gentoo.org/glsa/201412-28 38.0.0
2026-04-01T13:01:41.728354+00:00 Gentoo Importer Fixing VCID-xa94-z6yu-skf8 https://security.gentoo.org/glsa/201412-28 38.0.0
2026-04-01T13:01:41.720143+00:00 Gentoo Importer Fixing VCID-ca7u-t1y4-uuc7 https://security.gentoo.org/glsa/201412-28 38.0.0
2026-04-01T13:01:41.711014+00:00 Gentoo Importer Fixing VCID-nk6g-hhsk-8kaw https://security.gentoo.org/glsa/201412-28 38.0.0
2026-04-01T13:01:41.701141+00:00 Gentoo Importer Fixing VCID-hbtn-7423-m3gb https://security.gentoo.org/glsa/201412-28 38.0.0
2026-04-01T13:01:41.691934+00:00 Gentoo Importer Fixing VCID-carc-ntrd-ebfe https://security.gentoo.org/glsa/201412-28 38.0.0
2026-04-01T13:01:41.682954+00:00 Gentoo Importer Fixing VCID-j7p8-hchp-xbe3 https://security.gentoo.org/glsa/201412-28 38.0.0
2026-04-01T13:01:41.673113+00:00 Gentoo Importer Fixing VCID-kr1b-uct1-7kf6 https://security.gentoo.org/glsa/201412-28 38.0.0
2026-04-01T13:01:41.662220+00:00 Gentoo Importer Fixing VCID-43f3-rxwm-fkgv https://security.gentoo.org/glsa/201412-28 38.0.0
2026-04-01T13:01:41.651213+00:00 Gentoo Importer Fixing VCID-knsd-pv15-tydx https://security.gentoo.org/glsa/201412-28 38.0.0
2026-04-01T13:01:41.642056+00:00 Gentoo Importer Fixing VCID-4cky-r218-dkbb https://security.gentoo.org/glsa/201412-28 38.0.0
2026-04-01T13:01:41.631490+00:00 Gentoo Importer Fixing VCID-hmp2-rmzv-wkhg https://security.gentoo.org/glsa/201412-28 38.0.0
2026-04-01T13:01:41.621862+00:00 Gentoo Importer Fixing VCID-6j55-bstz-yybj https://security.gentoo.org/glsa/201412-28 38.0.0
2026-04-01T13:01:41.612381+00:00 Gentoo Importer Fixing VCID-y54w-a8kr-suhy https://security.gentoo.org/glsa/201412-28 38.0.0
2026-04-01T13:01:41.603012+00:00 Gentoo Importer Fixing VCID-49pq-vg95-jkh2 https://security.gentoo.org/glsa/201412-28 38.0.0
2026-04-01T13:01:41.592594+00:00 Gentoo Importer Fixing VCID-cnqr-6e98-5kgk https://security.gentoo.org/glsa/201412-28 38.0.0
2026-04-01T13:01:41.583279+00:00 Gentoo Importer Fixing VCID-j8zg-kq3z-jqcm https://security.gentoo.org/glsa/201412-28 38.0.0