Search for packages
| purl | pkg:gem/actionpack@3.1 |
| Tags | Ghost |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1rgy-k7a9-m7au
Aliases: CVE-2012-1099 GHSA-2xjj-5x6h-8vmf OSV-79727 |
XSS via posted select tag options Ruby on Rails is vulnerable to remote cross-site scripting because the application does not validate manually generated `select tag options` upon submission to `actionpack/lib/action_view/helpers/form_options_helper.rb`. This may allow a user to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server. |
Affected by 51 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 54 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 54 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-awt1-8bxs-xffs
Aliases: CVE-2012-3424 GHSA-92w9-2pqw-rhjj OSV-84243 |
actionpack Improper Authentication vulnerability The `decode_credentials` method in `actionpack/lib/action_controller/metal/http_authentication.rb` in Ruby on Rails before 3.0.16, 3.1.x before 3.1.7, and 3.2.x before 3.2.7 converts Digest Authentication strings to symbols, which allows remote attackers to cause a denial of service by leveraging access to an application that uses a `with_http_digest` helper method, as demonstrated by the `authenticate_or_request_with_http_digest` method. |
Affected by 50 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 54 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 53 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-c1w4-z275-tqg7
Aliases: CVE-2012-3463 GHSA-98mf-8f57-64qf OSV-84515 |
Ruby on Rails Potential XSS Vulnerability in select_tag prompt When a value for the `prompt` field is supplied to the `select_tag` helper, the value is not escaped. If untrusted data is not escaped, and is supplied as the prompt value, there is a potential for XSS attacks. |
Affected by 48 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 54 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 51 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-carc-ntrd-ebfe
Aliases: CVE-2013-0156 GHSA-jmgw-6vjg-jjwg OSV-89026 |
Multiple vulnerabilities in parameter parsing in Action Pack There are multiple weaknesses in the parameter parsing code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application. |
Affected by 47 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 54 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 50 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-cwa7-9d2t-rfhb
Aliases: CVE-2012-3465 GHSA-7g65-ghrg-hpf5 OSV-84513 |
actionpack Cross-site Scripting vulnerability Cross-site scripting (XSS) vulnerability in `actionpack/lib/action_view/helpers/sanitize_helper.rb` in the `strip_tags` helper in Ruby on Rails before 2.3.16, 3.0.x before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via malformed HTML markup. |
Affected by 48 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 54 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 51 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-hmp2-rmzv-wkhg
Aliases: CVE-2011-2929 GHSA-r7q2-5gqg-6c7q |
Improper Input Validation The template selection functionality in actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.10 and 3.1.x before 3.1.0.rc6 does not properly handle glob characters, which allows remote attackers to render arbitrary views via a crafted URL, related to a "filter skipping vulnerability." | There are no reported fixed by versions. |
|
VCID-phxs-zet8-ryh3
Aliases: CVE-2012-2660 GHSA-hgpp-pp89-4fgf OSV-82610 |
SQL Injection Ruby on Rails contains a flaw related to the way ActiveRecord handles parameters in conjunction with the way Rack parses query parameters. This issue may allow an attacker to inject arbitrary `IS NULL` clauses in to application SQL queries. This may also allow an attacker to have the SQL query check for `NULL` in arbitrary places. |
Affected by 51 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 54 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-rps2-k24p-9qgq
Aliases: CVE-2011-4319 GHSA-xxr8-833v-c7wc OSV-77199 |
Translate helper method which may allow an attacker to insert arbitrary code into a page The helper method for i18n translations has a convention whereby translations strings with a name ending in 'html' are considered HTML safe. There is also a mechanism for interpolation. It has been discovered that these 'html' strings allow arbitrary values to be contained in the interpolated input, and these values are not escaped. |
Affected by 52 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-tt6r-bytq-4fa4
Aliases: CVE-2012-2694 GHSA-q34c-48gc-m9g8 |
actionpack allows remote attackers to bypass database-query restrictions, perform NULL checks via crafted request `actionpack/lib/action_dispatch/http/request.rb` in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain `['xyz', nil]` values, a related issue to CVE-2012-2660. |
Affected by 51 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 54 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||