Search for packages
| purl | pkg:gem/actionpack@2.4 |
| Tags | Ghost |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-49pq-vg95-jkh2
Aliases: CVE-2011-0447 GHSA-24fg-p96v-hxh8 |
Cross-Site Request Forgery (CSRF) Ruby on Rails 2.1.x, 2.2.x, and 2.3.x before 2.3.11, and 3.x before 3.0.4, does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged (1) AJAX or (2) API requests that leverage "combinations of browser plugins and HTTP redirects," a related issue to CVE-2011-0696. |
Affected by 53 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-4epw-vk25-mfdw
Aliases: CVE-2013-1855 GHSA-q759-hwvc-m3jg OSV-91452 |
XSS vulnerability in sanitize_css in Action Pack Carefully crafted text can bypass the sanitization provided in the `sanitize_css` method in Action Pack. |
Affected by 47 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 50 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-4he5-y1u4-gkd2
Aliases: CVE-2013-1857 GHSA-j838-vfpq-fmf2 OSV-91454 |
XSS Vulnerability in the `sanitize` helper The `sanitize` helper in Ruby on Rails is designed to filter HTML and remove all tags and attributes which could be malicious. |
Affected by 47 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 50 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-c1w4-z275-tqg7
Aliases: CVE-2012-3463 GHSA-98mf-8f57-64qf OSV-84515 |
Ruby on Rails Potential XSS Vulnerability in select_tag prompt When a value for the `prompt` field is supplied to the `select_tag` helper, the value is not escaped. If untrusted data is not escaped, and is supplied as the prompt value, there is a potential for XSS attacks. |
Affected by 48 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 52 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 48 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 54 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 51 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-carc-ntrd-ebfe
Aliases: CVE-2013-0156 GHSA-jmgw-6vjg-jjwg OSV-89026 |
Multiple vulnerabilities in parameter parsing in Action Pack There are multiple weaknesses in the parameter parsing code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application. |
Affected by 47 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 52 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 47 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 54 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 50 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-cnqr-6e98-5kgk
Aliases: CVE-2011-0446 GHSA-75w6-p6mg-vh8j |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Multiple cross-site scripting (XSS) vulnerabilities in the mail_to helper in Ruby on Rails before 2.3.11, and 3.x before 3.0.4, when javascript encoding is used, allow remote attackers to inject arbitrary web script or HTML via a crafted (1) name or (2) email value. |
Affected by 53 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-h94p-ywve-y7h9
Aliases: CVE-2013-6416 GHSA-w37c-q653-qg95 OSV-100526 |
XSS Vulnerability in simple_format helper The simple_format helper converts user supplied text into html text which is intended to be safe for display. A change made to the implementation of this helper means that any user provided HTML attributes will not be escaped correctly. As a result of this error, applications which pass user-controlled data to be included as html attributes will be vulnerable to an XSS attack. |
Affected by 52 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 55 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 42 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-j24x-nhsb-yug6
Aliases: CVE-2011-2197 GHSA-v9v4-7jp6-8c73 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') The cross-site scripting (XSS) prevention feature in Ruby on Rails 2.x before 2.3.12, 3.0.x before 3.0.8, and 3.1.x before 3.1.0.rc2 does not properly handle mutation of safe buffers, which makes it easier for remote attackers to conduct XSS attacks via crafted strings to an application that uses a problematic string method, as demonstrated by the sub method. |
Affected by 52 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 52 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-knsd-pv15-tydx
Aliases: CVE-2011-2931 GHSA-v5jg-558j-q67c |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting (XSS) vulnerability in the strip_tags helper in actionpack/lib/action_controller/vendor/html-scanner/html/node.rb in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a tag with an invalid name. |
Affected by 52 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-pmrb-t3bm-zkb6
Aliases: CVE-2013-6414 GHSA-mpxf-gcw2-pw5q OSV-100525 |
Denial of Service Vulnerability in Action View There is a denial of service vulnerability in the header handling component of Action View. Strings sent in specially crafted headers will be cached indefinitely. This can cause the cache to grow infinitely, which will eventually consume all memory on the target machine, causing a denial of service. |
Affected by 43 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 42 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||