Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:gem/rails@3.0.6
purl pkg:gem/rails@3.0.6
Next non-vulnerable version 4.2.11
Latest non-vulnerable version 7.1.3.1
Risk
Vulnerabilities affecting this package (10)
Vulnerability Summary Fixed by
VCID-5pfg-7ntp-eff4
Aliases:
CVE-2011-4319
GHSA-xxr8-833v-c7wc
OSV-77199
Cross-site Scripting vulnerability in i18n translations helper method Cross-site scripting (XSS) vulnerability in the i18n translations helper method in Ruby on Rails 3.0.x before 3.0.11 and 3.1.x before 3.1.2, and the rails_xss plugin in Ruby on Rails 2.3.x, allows remote attackers to inject arbitrary web script or HTML via vectors related to a translations string whose name ends with an "html" substring.
3.0.11
Affected by 8 other vulnerabilities.
3.1.2
Affected by 8 other vulnerabilities.
VCID-7g2f-y978-hqgr
Aliases:
CVE-2009-4214
GHSA-9p3v-wf2w-v29c
Moderate severity vulnerability that affects rails Cross-site scripting (XSS) vulnerability in the strip_tags function in Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote attackers to inject arbitrary web script or HTML via vectors involving non-printing ASCII characters, related to HTML::Tokenizer and actionpack/lib/action_controller/vendor/html-scanner/html/node.rb. There are no reported fixed by versions.
VCID-832g-x9kb-3bbx
Aliases:
CVE-2016-2097
GHSA-vx9j-46rh-fqr8
actionview contains Path Traversal vulnerability There is a possible directory traversal and information leak vulnerability in Action View. This was meant to be fixed on CVE-2016-0752. However the 3.2 patch was not covering all possible scenarios. This vulnerability has been assigned the CVE identifier CVE-2016-2097. Versions Affected: 3.2.x, 4.0.x, 4.1.x Not affected: 4.2+ Fixed Versions: 3.2.22.2, 4.1.14.2 Impact ------ Applications that pass unverified user input to the `render` method in a controller may be vulnerable to an information leak vulnerability. Impacted code will look something like this: ```ruby def index render params[:id] end ``` Carefully crafted requests can cause the above code to render files from unexpected places like outside the application's view directory, and can possibly escalate this to a remote code execution attack. All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The FIXED releases are available at the normal locations. Workarounds ----------- A workaround to this issue is to not pass arbitrary user input to the `render` method. Instead, verify that data before passing it to the `render` method. For example, change this: ```ruby def index render params[:id] end ``` To this: ```ruby def index render verify_template(params[:id]) end private def verify_template(name) # add verification logic particular to your application here end ``` Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for it. It is in git-am format and consist of a single changeset. * 3-2-render_data_leak_2.patch - Patch for 3.2 series * 4-1-render_data_leak_2.patch - Patch for 4.1 series Credits ------- Thanks to both Jyoti Singh and Tobias Kraze from makandra for reporting this and working with us in the patch!
3.2.22.2
Affected by 4 other vulnerabilities.
4.1.14.2
Affected by 5 other vulnerabilities.
VCID-ejgq-s79w-abd6
Aliases:
CVE-2011-2197
GHSA-v9v4-7jp6-8c73
rails Cross-site Scripting vulnerability The cross-site scripting (XSS) prevention feature in Ruby on Rails 2.x before 2.3.12, 3.0.x before 3.0.8, and 3.1.x before 3.1.0.rc2 does not properly handle mutation of safe buffers, which makes it easier for remote attackers to conduct XSS attacks via crafted strings to an application that uses a problematic string method, as demonstrated by the sub method.
3.0.7
Affected by 9 other vulnerabilities.
3.0.8
Affected by 9 other vulnerabilities.
VCID-hh65-ycrj-d7gz
Aliases:
CVE-2014-0130
GHSA-6x85-j5j2-27jx
actionpack Path Traversal vulnerability Directory traversal vulnerability in `actionpack/lib/abstract_controller/base.rb` in the implicit-render implementation in Ruby on Rails before 3.2.18, 4.0.x before 4.0.5, and 4.1.x before 4.1.1, when certain route globbing configurations are enabled, allows remote attackers to read arbitrary files via a crafted request.
3.2.18
Affected by 5 other vulnerabilities.
4.0.5
Affected by 8 other vulnerabilities.
4.1.1
Affected by 8 other vulnerabilities.
VCID-jpj6-wzp3-m3e4
Aliases:
CVE-2014-0082
GHSA-7cgp-c3g7-qvrw
OSV-103440
actionpack Improper Input Validation vulnerability `actionpack/lib/action_view/template/text.rb` in Action View in Ruby on Rails 3.x before 3.2.17 converts MIME type strings to symbols during use of the `:text` option to the `render` method, which allows remote attackers to cause a denial of service (memory consumption) by including these strings in headers.
3.2.17
Affected by 6 other vulnerabilities.
VCID-nax4-x97j-9fgr
Aliases:
CVE-2013-6414
GHSA-mpxf-gcw2-pw5q
OSV-100525
actionpack Improper Input Validation vulnerability `actionpack/lib/action_view/lookup_context.rb` in Action View in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to cause a denial of service (memory consumption) via a header containing an invalid MIME type that leads to excessive caching.
3.2.16
Affected by 7 other vulnerabilities.
4.0.2
Affected by 10 other vulnerabilities.
VCID-q1rj-sqa4-q3b4
Aliases:
CVE-2006-4112
GHSA-9wrq-xvmp-xjc8
Rails Denial of Service vulnerability Unspecified vulnerability in the "dependency resolution mechanism" in Ruby on Rails 1.1.0 through 1.1.5 allows remote attackers to execute arbitrary Ruby code via a URL that is not properly handled in the routing code, which leads to a denial of service (application hang) or "data loss," a different vulnerability than CVE-2006-4111. There are no reported fixed by versions.
VCID-vs1a-m7ya-rue8
Aliases:
CVE-2014-0081
GHSA-m46p-ggm5-5j83
OSV-103439
Rails vulnerable to Cross-site Scripting There is an XSS vulnerability in the `number_to_currency`, `number_to_percentage` and `number_to_human` helpers in Ruby on Rails. This vulnerability has been assigned the CVE identifier CVE-2014-0081. Versions Affected: All. Fixed Versions: 4.1.0.beta2, 4.0.3, 3.2.17. Impact ------ These helpers allows users to nicely format a numeric value. Some of the parameters to the helper (format, negative_format and units) are not escaped correctly. Applications which pass user controlled data as one of these parameters are vulnerable to an XSS attack. All users passing user controlled data to these parameters of the number helpers should either upgrade or use one of the workarounds immediately. Releases -------- The 4.1.0.rc1, 4.0.3 and 3.2.17 releases are available at the normal locations. Workarounds ----------- The workaround for this issue is to escape the value passed to the parameter. For example, replace code like this: ```ruby <%= number_to_currency(1.02, format: params[:format]) %> ``` With code like this ```ruby <%= number_to_currency(1.02, format: h(params[:format])) %> ``` Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 4-1-beta-number_helpers_xss.patch - Patch for 4.1-beta series * 4-0-number_helpers_xss.patch - Patch for 4.0 series * 3-2-number_helpers_xss.patch - Patch for 3.2 series Please note that only the 4.0.x and 3.2.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. Credits ------- Thanks to Kevin Reintjes for reporting the issue to us. -- Aaron Patterson http://tenderlovemaking.com/
3.2.17
Affected by 6 other vulnerabilities.
4.0.3
Affected by 9 other vulnerabilities.
4.1.0.beta2
Affected by 8 other vulnerabilities.
4.1.0
Affected by 9 other vulnerabilities.
VCID-w8ez-zf1z-qubq
Aliases:
CVE-2006-4111
GHSA-rvpq-5xqx-pfpp
Ruby on Rails vulnerable to code injection Ruby on Rails before 1.1.5 allows remote attackers to execute Ruby code with "severe" or "serious" impact via a File Upload request with an HTTP header that modifies the LOAD_PATH variable, a different vulnerability than CVE-2006-4112. There are no reported fixed by versions.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-fr3w-ejk8-47gw Cross site scripting in actionpack Rubygem A cross-site scripting vulnerability flaw was found in the `auto_link` function in Rails before version 3.0.6. CVE-2011-1497
GHSA-q58j-fmvf-9rq6

Date Actor Action Vulnerability Source VulnerableCode Version
2026-05-30T03:46:34.279317+00:00 GitLab Importer Affected by VCID-5pfg-7ntp-eff4 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rails/CVE-2011-4319.yml 38.6.0
2026-05-30T03:46:32.966661+00:00 GitLab Importer Affected by VCID-ejgq-s79w-abd6 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rails/CVE-2011-2197.yml 38.6.0
2026-05-30T03:38:45.548523+00:00 GitLab Importer Affected by VCID-832g-x9kb-3bbx https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rails/CVE-2016-2097.yml 38.6.0
2026-05-30T03:36:00.317800+00:00 GitLab Importer Affected by VCID-hh65-ycrj-d7gz https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rails/CVE-2014-0130.yml 38.6.0
2026-05-30T03:35:40.815031+00:00 GitLab Importer Affected by VCID-vs1a-m7ya-rue8 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rails/CVE-2014-0081.yml 38.6.0
2026-05-30T03:35:37.998765+00:00 GitLab Importer Affected by VCID-jpj6-wzp3-m3e4 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rails/CVE-2014-0082.yml 38.6.0
2026-05-30T03:35:21.194950+00:00 GitLab Importer Affected by VCID-nax4-x97j-9fgr https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rails/CVE-2013-6414.yml 38.6.0
2026-05-29T23:57:47.861112+00:00 Ruby Importer Affected by VCID-7g2f-y978-hqgr https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2009-4214.yml 38.6.0
2026-05-29T23:57:30.706982+00:00 Ruby Importer Affected by VCID-q1rj-sqa4-q3b4 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2006-4112.yml 38.6.0
2026-05-29T23:57:17.073893+00:00 Ruby Importer Affected by VCID-vs1a-m7ya-rue8 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2014-0081.yml 38.6.0
2026-05-29T23:57:00.275144+00:00 Ruby Importer Affected by VCID-w8ez-zf1z-qubq https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2006-4111.yml 38.6.0
2026-05-29T17:32:02.818481+00:00 GitLab Importer Fixing VCID-fr3w-ejk8-47gw https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rails/CVE-2011-1497.yml 38.6.0