Search for packages
| purl | pkg:rpm/redhat/rubygem-activesupport@1:3.0.10-5?arch=el6cf |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-awt1-8bxs-xffs
Aliases: CVE-2012-3424 GHSA-92w9-2pqw-rhjj OSV-84243 |
actionpack Improper Authentication vulnerability The `decode_credentials` method in `actionpack/lib/action_controller/metal/http_authentication.rb` in Ruby on Rails before 3.0.16, 3.1.x before 3.1.7, and 3.2.x before 3.2.7 converts Digest Authentication strings to symbols, which allows remote attackers to cause a denial of service by leveraging access to an application that uses a `with_http_digest` helper method, as demonstrated by the `authenticate_or_request_with_http_digest` method. | There are no reported fixed by versions. |
|
VCID-bsxw-gh14-rbef
Aliases: CVE-2012-2695 GHSA-76wq-xw4h-f8wj |
activerecord vulnerable to SQL Injection The Active Record component in Ruby on Rails efore 2.3.15, 3.0.x before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage improper handling of nested hashes, a related issue to CVE-2012-2661. | There are no reported fixed by versions. |
|
VCID-c1w4-z275-tqg7
Aliases: CVE-2012-3463 GHSA-98mf-8f57-64qf OSV-84515 |
Ruby on Rails Potential XSS Vulnerability in select_tag prompt When a value for the `prompt` field is supplied to the `select_tag` helper, the value is not escaped. If untrusted data is not escaped, and is supplied as the prompt value, there is a potential for XSS attacks. | There are no reported fixed by versions. |
|
VCID-carc-ntrd-ebfe
Aliases: CVE-2013-0156 GHSA-jmgw-6vjg-jjwg OSV-89026 |
Multiple vulnerabilities in parameter parsing in Action Pack There are multiple weaknesses in the parameter parsing code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application. | There are no reported fixed by versions. |
|
VCID-cwa7-9d2t-rfhb
Aliases: CVE-2012-3465 GHSA-7g65-ghrg-hpf5 OSV-84513 |
actionpack Cross-site Scripting vulnerability Cross-site scripting (XSS) vulnerability in `actionpack/lib/action_view/helpers/sanitize_helper.rb` in the `strip_tags` helper in Ruby on Rails before 2.3.16, 3.0.x before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via malformed HTML markup. | There are no reported fixed by versions. |
|
VCID-hr2h-y693-sbgc
Aliases: CVE-2012-3464 GHSA-h835-75hw-pj89 OSV-84516 |
activesupport Cross-site Scripting vulnerability Cross-site scripting (XSS) vulnerability in `activesupport/lib/active_support/core_ext/string/output_safety.rb` in Ruby on Rails before 2.3.16, 3.0.x before , 3.1.x before 3.1.8, and 3.2.x before 3.2.8 might allow remote attackers to inject arbitrary web script or HTML via vectors involving a ' (quote) character. | There are no reported fixed by versions. |
|
VCID-j7p8-hchp-xbe3
Aliases: CVE-2013-0155 GHSA-gppp-5xc5-wfpx OSV-89025 |
Unsafe Query Generation Risk in Ruby on Rails Due to the way Active Record interprets parameters in combination with the way that JSON parameters are parsed, it is possible for an attacker to issue unexpected database queries with "IS NULL" or empty where clauses. This issue does *not* let an attacker insert arbitrary values into an SQL query, however they can cause the query to check for NULL or eliminate a WHERE clause when most users wouldn't expect it. | There are no reported fixed by versions. |
|
VCID-kkbt-pr7u-f7gn
Aliases: CVE-2012-6496 GHSA-gh2w-j7cx-2664 OSV-88661 |
Active Record contains SQL Injection SQL injection vulnerability in the Active Record component in Ruby on Rails before 2.3.15, 3.0.x before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behavior of dynamic finders in applications that can use unexpected data types in certain find_by_ method calls. | There are no reported fixed by versions. |
|
VCID-phxs-zet8-ryh3
Aliases: CVE-2012-2660 GHSA-hgpp-pp89-4fgf OSV-82610 |
SQL Injection Ruby on Rails contains a flaw related to the way ActiveRecord handles parameters in conjunction with the way Rack parses query parameters. This issue may allow an attacker to inject arbitrary `IS NULL` clauses in to application SQL queries. This may also allow an attacker to have the SQL query check for `NULL` in arbitrary places. | There are no reported fixed by versions. |
|
VCID-rq7w-zmh4-17e1
Aliases: CVE-2012-2661 GHSA-fh39-v733-mxfr OSV-82403 |
SQL injection vulnerability in Active Record Due to the way Active Record handles nested query parameters, an attacker can use a specially crafted request to inject some forms of SQL into your application's SQL queries. | There are no reported fixed by versions. |
|
VCID-tt6r-bytq-4fa4
Aliases: CVE-2012-2694 GHSA-q34c-48gc-m9g8 |
actionpack allows remote attackers to bypass database-query restrictions, perform NULL checks via crafted request `actionpack/lib/action_dispatch/http/request.rb` in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain `['xyz', nil]` values, a related issue to CVE-2012-2660. | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||