Download
| Alert*
oval:org.secpod.oval:def:605181
rails is installed oval:org.secpod.oval:def:2004056 The is a code injection vulnerability in versions of Rails prior to 5.0.1 that wouldallow an attacker who controlled the `locals` argument of a `render` call to perform a RCE. oval:org.secpod.oval:def:602424 Two vulnerabilities have been discovered in Rails, a web application framework written in Ruby. Both vulnerabilities affect Action Pack, which handles the web requests for Rails. CVE-2016-2097 Crafted requests to Action View, one of the components of Action Pack, might result in rendering files from ... oval:org.secpod.oval:def:600612 Several vulnerabilities have been discovered in Rails, the Ruby web application framework. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-4214 A cross-site scripting vulnerability had been found in the strip_tags function. An attacker may inject non-pri ... oval:org.secpod.oval:def:600796 Sergey Nartimov discovered that in Rails, a Ruby based framework for web development, when developers generate html options tags manually, user input concatenated with manually built tags may not be escaped and an attacker can inject arbitrary HTML into the document. oval:org.secpod.oval:def:600950 An interpretation conflict can cause the Active Record component of Rails, a web framework for the Ruby programming language, to truncate queries in unexpected ways. This may allow attackers to elevate their privileges. oval:org.secpod.oval:def:600538 Several vulnerabilities have been discovered in Rails, the Ruby web application framework. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2011-0446 Multiple cross-site scripting vulnerabilities when JavaScript encoding is used, allow remote attackers to inje ... oval:org.secpod.oval:def:600715 It was discovered that the last security update for Ruby on Rails, DSA-2301-1, introduced a regression in the libactionpack-ruby package. oval:org.secpod.oval:def:600962 Two vulnerabilities were discovered in Ruby on Rails, a Ruby framework for web application development. CVE-2013-0276 The blacklist provided by the attr_protected method could be bypassed with crafted requests, having an application-specific impact. CVE-2013-0277 In some applications, the +serialize ... oval:org.secpod.oval:def:601416 rails is installed oval:org.secpod.oval:def:601000 Several cross-site-scripting and denial of service vulnerabilities were discovered in Ruby on Rails, a Ruby framework for web application development. oval:org.secpod.oval:def:602354 Multiple security issues have been discovered in the Rails on Rails web application development framework, which may result in denial of service, cross-site scripting, information disclosure or bypass of input validation. oval:org.secpod.oval:def:600944 joernchen of Phenoelit discovered that rails, an MVC ruby based framework geared for web application development, is not properly treating user-supplied input to find_by_* methods. Depending on how the ruby on rails application is using these methods, this allows an attacker to perform SQL injection ... oval:org.secpod.oval:def:610511 Brief introduction Two vulnerabilities were discovered in rails, the Ruby based server-side MVC web application framework, which could lead to XSS and DOM based cross-site scripting . This update also fixes a regression introduced in previous update that may block certain access for apps using devel ... oval:org.secpod.oval:def:93323 Brief introduction Two vulnerabilities were discovered in rails, the Ruby based server-side MVC web application framework, which could lead to XSS and DOM based cross-site scripting . This update also fixes a regression introduced in previous update that may block certain access for apps using devel ... oval:org.secpod.oval:def:2004057 In ActionView before versions 6.0.2.2 and 5.2.4.2, there is a possible XSS vulnerability in ActionView"s JavaScript literal escape helpers. Views that use the `j` or `escape_javascript` methods may be susceptible to XSS attacks. The issue is fixed in versions 6.0.2.2 and 5.2.4.2. oval:org.secpod.oval:def:602597 Andrew Carpenter of Critical Juncture discovered a cross-site scripting vulnerability affecting Action View in rails, a web application framework written in Ruby. Text declared as "HTML safe" will not have quotes escaped when used as attribute values in tag helpers. oval:org.secpod.oval:def:2001299 A Broken Access Control vulnerability in Active Job versions >= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to information that they should not have. oval:org.secpod.oval:def:600955 Lawrence Pit discovered that Ruby on Rails, a web development framenwork, is vulnerable to a flaw in the parsing of JSON to YAML. Using a specially crafted payload attackers can trick the backend into decoding a subset of YAML. The vulnerability has been addressed by removing the YAML backend and ad ... oval:org.secpod.oval:def:600942 It was discovered that Rails, the Ruby web application development framework, performed insufficient validation on input parameters, allowing unintended type conversions. An attacker may use this to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a ... oval:org.secpod.oval:def:89374 Multiple vunerabilities were discovered in rails, the Ruby based server-side MVC web application framework, which could result in XSS, data disclosure and open redirect. oval:org.secpod.oval:def:2001367 ** DISPUTED ** SQL injection vulnerability in the "reorder" method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the "name" parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use wit ... oval:org.secpod.oval:def:2001447 ** DISPUTED ** SQL injection vulnerability in the "order" method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the "id desc" parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use wi ... oval:org.secpod.oval:def:2001478 ** DISPUTED ** SQL injection vulnerability in the "where" method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the "id" parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with un ... oval:org.secpod.oval:def:2000456 ** DISPUTED ** SQL injection vulnerability in the "find_by" method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the "name" parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use wit ... |