Search for packages
| purl | pkg:gem/actionpack@4.1 |
| Tags | Ghost |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-333w-aacz-mfcr
Aliases: CVE-2014-7829 GHSA-h56m-vwxc-3qpw |
Arbitrary file existence disclosure Specially crafted requests can be used to determine whether a file exists on the filesystem that is outside the Rails application's root directory. The files will not be served, but attackers can determine whether the file exists. This only impacts Rails applications that enable static file serving at runtime. For example, the application's production configuration will say: `config.serve_static_assets = true` |
Affected by 37 other vulnerabilities. Affected by 36 other vulnerabilities. Affected by 32 other vulnerabilities. Affected by 31 other vulnerabilities. |
|
VCID-35rt-t6e1-pfa6
Aliases: CVE-2014-0130 GHSA-6x85-j5j2-27jx |
Directory Traversal Vulnerability With Certain Route Configurations The implicit render functionality allows controllers to render a template, even if there is no explicit action with the corresponding name. This module does not perform adequate input sanitization which could allow an attacker to use a specially crafted request to retrieve arbitrary files from the RoR application server. |
Affected by 39 other vulnerabilities. |
|
VCID-3wtf-uu89-2qe5
Aliases: CVE-2014-0081 GHSA-m46p-ggm5-5j83 OSV-103439 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage, or (c) number_to_human helper. |
Affected by 39 other vulnerabilities. |
|
VCID-zkvd-bfd6-t7dg
Aliases: CVE-2014-7818 GHSA-29gr-w57f-rpfw |
Arbitrary file existence disclosure Specially crafted requests can be used to determine whether a file exists on the filesystem that is outside the Rails application's root directory. The files will not be served, but attackers can determine whether the file exists. This only impacts Rails applications that enable static file serving at runtime. For example, the application's production configuration will say: `config.serve_static_assets = true` |
Affected by 37 other vulnerabilities. Affected by 32 other vulnerabilities. Affected by 31 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-01T15:18:20.504467+00:00 | Ruby Importer | Affected by | VCID-zkvd-bfd6-t7dg | https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2014-7818.yml | 38.0.0 |
| 2026-04-01T15:18:20.132430+00:00 | Ruby Importer | Affected by | VCID-3wtf-uu89-2qe5 | https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2014-0081.yml | 38.0.0 |
| 2026-04-01T15:18:18.794239+00:00 | Ruby Importer | Affected by | VCID-35rt-t6e1-pfa6 | https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2014-0130.yml | 38.0.0 |
| 2026-04-01T15:18:18.743208+00:00 | Ruby Importer | Affected by | VCID-333w-aacz-mfcr | https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2014-7829.yml | 38.0.0 |