VulnerableCode Package Details - pkg:ebuild/dev-ruby/rails@2.3.5

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-3zdr-vasc-a7cn	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings into a form helper.	CVE-2009-3009 GHSA-8qrh-h9m2-5fvf OSV-57666
VCID-4zhj-en7h-3yaz	Improper Authentication The example code for the digest authentication functionality (http_authentication.rb) in Ruby on Rails before 2.3.3 defines an authenticate_or_request_with_http_digest block that returns nil instead of false when the user does not exist, which allows context-dependent attackers to bypass authentication for applications that are derived from this example by sending an invalid username without a password.	CVE-2009-2422 GHSA-rxq3-gm4p-5fj4
VCID-7f5r-9h1g-nuch	Exposure of Sensitive Information to an Unauthorized Actor A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x before 2.3.4, leaks information about the complexity of message-digest signature verification in the cookie store, which might allow remote attackers to forge a digest via multiple attempts.	CVE-2009-3086 GHSA-fg9w-g6m4-557j
VCID-9hvm-2hnk-hyev	The session fixation protection mechanism in cgi_process.rb in Rails 1.2.4, as used in Ruby on Rails, removes the :cookie_only attribute from the DEFAULT_SESSION_OPTIONS constant, which effectively causes cookie_only to be applied only to the first instantiation of CgiRequest, which allows remote attackers to conduct session fixation attacks. NOTE: this is due to an incomplete fix for CVE-2007-5380.	CVE-2007-6077 GHSA-p4c6-77gc-694x
VCID-gsx2-9sc2-3fbr	Moderate severity vulnerability that affects rails Cross-site scripting (XSS) vulnerability in the strip_tags function in Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote attackers to inject arbitrary web script or HTML via vectors involving non-printing ASCII characters, related to HTML::Tokenizer and actionpack/lib/action_controller/vendor/html-scanner/html/node.rb.	CVE-2009-4214 GHSA-9p3v-wf2w-v29c
VCID-nzeb-cy9e-tkax	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer.	CVE-2008-4094 GHSA-xf96-32q2-9rw2
VCID-vgm2-8wjy-x7ed	Improper Input Validation Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify tokens for requests with certain content types, which allows remote attackers to bypass cross-site request forgery (CSRF) protection for requests to applications that rely on this protection, as demonstrated using text/plain.	CVE-2008-7248 GHSA-8fqx-7pv4-3jwm
VCID-wgr4-rzk2-4yet	Session fixation vulnerability in Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers to hijack web sessions via unspecified vectors related to "URL-based sessions."	CVE-2007-5380 GHSA-jwhv-rgqc-fqj5

Vulnerability

Summary

Aliases

VCID-3zdr-vasc-a7cn

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings into a form helper.

CVE-2009-3009
GHSA-8qrh-h9m2-5fvf
OSV-57666

VCID-4zhj-en7h-3yaz

Improper Authentication The example code for the digest authentication functionality (http_authentication.rb) in Ruby on Rails before 2.3.3 defines an authenticate_or_request_with_http_digest block that returns nil instead of false when the user does not exist, which allows context-dependent attackers to bypass authentication for applications that are derived from this example by sending an invalid username without a password.

CVE-2009-2422
GHSA-rxq3-gm4p-5fj4

VCID-7f5r-9h1g-nuch

Exposure of Sensitive Information to an Unauthorized Actor A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x before 2.3.4, leaks information about the complexity of message-digest signature verification in the cookie store, which might allow remote attackers to forge a digest via multiple attempts.

CVE-2009-3086
GHSA-fg9w-g6m4-557j

VCID-9hvm-2hnk-hyev

The session fixation protection mechanism in cgi_process.rb in Rails 1.2.4, as used in Ruby on Rails, removes the :cookie_only attribute from the DEFAULT_SESSION_OPTIONS constant, which effectively causes cookie_only to be applied only to the first instantiation of CgiRequest, which allows remote attackers to conduct session fixation attacks. NOTE: this is due to an incomplete fix for CVE-2007-5380.

CVE-2007-6077
GHSA-p4c6-77gc-694x

VCID-gsx2-9sc2-3fbr

Moderate severity vulnerability that affects rails Cross-site scripting (XSS) vulnerability in the strip_tags function in Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote attackers to inject arbitrary web script or HTML via vectors involving non-printing ASCII characters, related to HTML::Tokenizer and actionpack/lib/action_controller/vendor/html-scanner/html/node.rb.

CVE-2009-4214
GHSA-9p3v-wf2w-v29c

VCID-nzeb-cy9e-tkax

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer.

CVE-2008-4094
GHSA-xf96-32q2-9rw2

VCID-vgm2-8wjy-x7ed

Improper Input Validation Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify tokens for requests with certain content types, which allows remote attackers to bypass cross-site request forgery (CSRF) protection for requests to applications that rely on this protection, as demonstrated using text/plain.

CVE-2008-7248
GHSA-8fqx-7pv4-3jwm

VCID-wgr4-rzk2-4yet

Session fixation vulnerability in Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers to hijack web sessions via unspecified vectors related to "URL-based sessions."

CVE-2007-5380
GHSA-jwhv-rgqc-fqj5

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T13:10:12.629621+00:00	Gentoo Importer	Fixing	VCID-gsx2-9sc2-3fbr	https://security.gentoo.org/glsa/200912-02	38.0.0
2026-04-01T13:10:12.615086+00:00	Gentoo Importer	Fixing	VCID-7f5r-9h1g-nuch	https://security.gentoo.org/glsa/200912-02	38.0.0
2026-04-01T13:10:12.599580+00:00	Gentoo Importer	Fixing	VCID-3zdr-vasc-a7cn	https://security.gentoo.org/glsa/200912-02	38.0.0
2026-04-01T13:10:12.587452+00:00	Gentoo Importer	Fixing	VCID-4zhj-en7h-3yaz	https://security.gentoo.org/glsa/200912-02	38.0.0
2026-04-01T13:10:12.574265+00:00	Gentoo Importer	Fixing	VCID-vgm2-8wjy-x7ed	https://security.gentoo.org/glsa/200912-02	38.0.0
2026-04-01T13:10:12.560414+00:00	Gentoo Importer	Fixing	VCID-nzeb-cy9e-tkax	https://security.gentoo.org/glsa/200912-02	38.0.0
2026-04-01T13:10:12.544976+00:00	Gentoo Importer	Fixing	VCID-9hvm-2hnk-hyev	https://security.gentoo.org/glsa/200912-02	38.0.0
2026-04-01T13:10:12.530010+00:00	Gentoo Importer	Fixing	VCID-wgr4-rzk2-4yet	https://security.gentoo.org/glsa/200912-02	38.0.0