Search for packages
| purl | pkg:gem/actionpack@3.2.23 |
| Tags | Ghost |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-86jq-2md2-d7ah
Aliases: CVE-2016-6316 GHSA-pc3m-v286-2jwj |
Possible XSS Vulnerability in ActionView There is a possible XSS vulnerability in Action View. Text declared as `HTML safe` will not have quotes escaped when used as attribute values in tag helpers. | There are no reported fixed by versions. |
|
VCID-9hq5-3usy-5fhq
Aliases: CVE-2016-0751 GHSA-ffpv-c4hm-3x6v |
Possible Object Leak and Denial of Service attack A carefully crafted `Accept` header can cause a global cache of mime types to grow indefinitely which can lead to a possible denial of service attack in Action Pack. |
Affected by 29 other vulnerabilities. Affected by 28 other vulnerabilities. Affected by 26 other vulnerabilities. |
|
VCID-bjwf-uhyk-63aj
Aliases: CVE-2015-7576 GHSA-p692-7mm3-3fxg |
Timing attack vulnerability in basic authentication Due to the way that Action Controller compares user names and passwords in basic authentication authorization code, it is possible for an attacker to analyze the time taken by a response and intuit the password. You can tell you application is vulnerable to this attack by looking for `http_basic_authenticate_with` method calls in your application. |
Affected by 29 other vulnerabilities. Affected by 28 other vulnerabilities. Affected by 26 other vulnerabilities. |
|
VCID-s5ah-tf63-a7cw
Aliases: CVE-2016-2098 GHSA-78rc-8c29-p45g |
Improper Input Validation The Rails gem allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method. |
Affected by 26 other vulnerabilities. Affected by 26 other vulnerabilities. |
|
VCID-v3r3-bwp5-a3bn
Aliases: CVE-2016-0752 GHSA-xrr4-p6fq-hjg7 |
Path Traversal The Rails gem allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a `..` in a pathname. |
Affected by 29 other vulnerabilities. Affected by 28 other vulnerabilities. |
|
VCID-z1jv-4ga2-7kd1
Aliases: CVE-2016-2097 GHSA-vx9j-46rh-fqr8 |
Possible Information Leak Vulnerability Applications that pass unverified user input to the `render` method in a controller may be vulnerable to an information leak vulnerability. Impacted code will look something like this: ``` def index; render params[:id]; end ``` Carefully crafted requests can cause the above code to render files from unexpected places like outside the application's view directory, and can possibly escalate this to a remote code execution attack. |
Affected by 26 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||