Search for packages
| purl | pkg:gem/actionpack@3.3 |
| Tags | Ghost |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-333w-aacz-mfcr
Aliases: CVE-2014-7829 GHSA-h56m-vwxc-3qpw |
Arbitrary file existence disclosure Specially crafted requests can be used to determine whether a file exists on the filesystem that is outside the Rails application's root directory. The files will not be served, but attackers can determine whether the file exists. This only impacts Rails applications that enable static file serving at runtime. For example, the application's production configuration will say: `config.serve_static_assets = true` |
Affected by 37 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 36 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 38 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 37 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 36 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 32 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 31 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-35rt-t6e1-pfa6
Aliases: CVE-2014-0130 GHSA-6x85-j5j2-27jx |
Directory Traversal Vulnerability With Certain Route Configurations The implicit render functionality allows controllers to render a template, even if there is no explicit action with the corresponding name. This module does not perform adequate input sanitization which could allow an attacker to use a specially crafted request to retrieve arbitrary files from the RoR application server. |
Affected by 39 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 39 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-3wtf-uu89-2qe5
Aliases: CVE-2014-0081 GHSA-m46p-ggm5-5j83 OSV-103439 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage, or (c) number_to_human helper. |
Affected by 41 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 38 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 39 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-5hqj-fxmk-cbcy
Aliases: CVE-2013-6415 GHSA-6h5q-96hp-9jgm OSV-100524 |
XSS Vulnerability in number_to_currency The number_to_currency helper allows users to nicely format a numeric value. The unit parameter is not escaped correctly. Application which pass user controlled data as the unit parameter are vulnerable to an XSS attack. |
Affected by 42 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-h94p-ywve-y7h9
Aliases: CVE-2013-6416 GHSA-w37c-q653-qg95 OSV-100526 |
XSS Vulnerability in simple_format helper The simple_format helper converts user supplied text into html text which is intended to be safe for display. A change made to the implementation of this helper means that any user provided HTML attributes will not be escaped correctly. As a result of this error, applications which pass user-controlled data to be included as html attributes will be vulnerable to an XSS attack. |
Affected by 42 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-kcj2-v7av-47cv
Aliases: CVE-2013-4491 GHSA-699m-mcjm-9cw8 OSV-100528 |
Reflective XSS Vulnerability There is a vulnerability in the internationalisation component of Ruby on Rails. When the i18n gem is unable to provide a translation for a given string, it creates a fallback HTML string. Under certain common configurations this string can contain user input which would allow an attacker to execute a reflective XSS attack. |
Affected by 42 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-nf8s-2aaa-17fw
Aliases: CVE-2013-6417 GHSA-wpw7-wxjm-cw8r OSV-100527 |
Incomplete fix to CVE-2013-0155 (Unsafe Query Generation Risk) Due to the way that `Rack::Request` and `Rails::Request` interact, it is possible for a 3rd party or custom rack middleware to parse the parameters insecurely and store them in the same key that Rails uses for its own parameters. In the event that happens the application will receive unsafe parameters and could be vulnerable to the earlier vulnerability: it would be possible for an attacker to issue unexpected database queries with `IS NULL` or empty where clauses. |
Affected by 42 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-pmrb-t3bm-zkb6
Aliases: CVE-2013-6414 GHSA-mpxf-gcw2-pw5q OSV-100525 |
Denial of Service Vulnerability in Action View There is a denial of service vulnerability in the header handling component of Action View. Strings sent in specially crafted headers will be cached indefinitely. This can cause the cache to grow infinitely, which will eventually consume all memory on the target machine, causing a denial of service. |
Affected by 42 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-zkvd-bfd6-t7dg
Aliases: CVE-2014-7818 GHSA-29gr-w57f-rpfw |
Arbitrary file existence disclosure Specially crafted requests can be used to determine whether a file exists on the filesystem that is outside the Rails application's root directory. The files will not be served, but attackers can determine whether the file exists. This only impacts Rails applications that enable static file serving at runtime. For example, the application's production configuration will say: `config.serve_static_assets = true` |
Affected by 37 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 38 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 37 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 32 other vulnerabilities.
This version is affected by these other vulnerabilities:
Affected by 31 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||