Filtered by vendor Rubyonrails
Subscriptions
Total
139 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2014-7818 | 2 Opensuse, Rubyonrails | 3 Opensuse, Rails, Ruby On Rails | 2025-04-12 | N/A |
| Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and 4.2.x before 4.2.0.beta3, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via a /..%2F sequence. | ||||
| CVE-2014-3482 | 2 Redhat, Rubyonrails | 3 Rhel Software Collections, Rails, Ruby On Rails | 2025-04-12 | N/A |
| SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 2.x and 3.x before 3.2.19 allows remote attackers to execute arbitrary SQL commands by leveraging improper bitstring quoting. | ||||
| CVE-2016-2097 | 2 Redhat, Rubyonrails | 3 Rhel Software Collections, Rails, Ruby On Rails | 2025-04-12 | N/A |
| Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.2 and 4.x before 4.1.14.2 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0752. | ||||
| CVE-2016-6317 | 2 Redhat, Rubyonrails | 2 Rhel Software Collections, Rails | 2025-04-12 | N/A |
| Action Record in Ruby on Rails 4.2.x before 4.2.7.1 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660, CVE-2012-2694, and CVE-2013-0155. | ||||
| CVE-2015-7578 | 1 Rubyonrails | 2 Html Sanitizer, Rails | 2025-04-12 | N/A |
| Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via crafted tag attributes. | ||||
| CVE-2015-3224 | 1 Rubyonrails | 1 Web Console | 2025-04-12 | N/A |
| request.rb in Web Console before 2.1.3, as used with Ruby on Rails 3.x and 4.x, does not properly restrict the use of X-Forwarded-For headers in determining a client's IP address, which allows remote attackers to bypass the whitelisted_ips protection mechanism via a crafted request. | ||||
| CVE-2015-7581 | 2 Redhat, Rubyonrails | 2 Rhel Software Collections, Rails | 2025-04-12 | N/A |
| actionpack/lib/action_dispatch/routing/route_set.rb in Action Pack in Ruby on Rails 4.x before 4.2.5.1 and 5.x before 5.0.0.beta1.1 allows remote attackers to cause a denial of service (superfluous caching and memory consumption) by leveraging an application's use of a wildcard controller route. | ||||
| CVE-2016-0751 | 2 Redhat, Rubyonrails | 3 Rhel Software Collections, Rails, Ruby On Rails | 2025-04-12 | N/A |
| actionpack/lib/action_dispatch/http/mime_type.rb in Action Pack in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly restrict use of the MIME type cache, which allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP Accept header. | ||||
| CVE-2016-2098 | 3 Debian, Redhat, Rubyonrails | 4 Debian Linux, Rhel Software Collections, Rails and 1 more | 2025-04-12 | N/A |
| Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method. | ||||
| CVE-2015-7580 | 1 Rubyonrails | 2 Html Sanitizer, Rails | 2025-04-12 | N/A |
| Cross-site scripting (XSS) vulnerability in lib/rails/html/scrubbers.rb in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via a crafted CDATA node. | ||||
| CVE-2014-3514 | 2 Redhat, Rubyonrails | 2 Rhel Software Collections, Rails | 2025-04-12 | N/A |
| activerecord/lib/active_record/relation/query_methods.rb in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection mechanism via crafted input to an application that makes create_with calls. | ||||
| CVE-2015-1840 | 3 Fedoraproject, Opensuse, Rubyonrails | 4 Fedora, Opensuse, Jquery-rails and 1 more | 2025-04-12 | N/A |
| jquery_ujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 and rails.js in jquery-ujs before 1.0.4, as used with Ruby on Rails 3.x and 4.x, allow remote attackers to bypass the Same Origin Policy, and trigger transmission of a CSRF token to a different-domain web server, via a leading space character in a URL within an attribute value. | ||||
| CVE-2015-7576 | 2 Redhat, Rubyonrails | 3 Rhel Software Collections, Rails, Ruby On Rails | 2025-04-12 | N/A |
| The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences. | ||||
| CVE-2014-3916 | 1 Rubyonrails | 1 Rails | 2025-04-12 | N/A |
| The str_buf_cat function in string.c in Ruby 1.9.3, 2.0.0, and 2.1 allows context-dependent attackers to cause a denial of service (segmentation fault and crash) via a long string. | ||||
| CVE-2015-3226 | 1 Rubyonrails | 2 Rails, Ruby On Rails | 2025-04-12 | N/A |
| Cross-site scripting (XSS) vulnerability in json/encoding.rb in Active Support in Ruby on Rails 3.x and 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted Hash that is mishandled during JSON encoding. | ||||
| CVE-2015-7579 | 1 Rubyonrails | 2 Html Sanitizer, Rails | 2025-04-12 | N/A |
| Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 1.0.2 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via an HTML entity that is mishandled by the Rails::Html::FullSanitizer class. | ||||
| CVE-2013-3221 | 1 Rubyonrails | 2 Rails, Ruby On Rails | 2025-04-11 | N/A |
| The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, and 3.2.x does not ensure that the declared data type of a database column is used during comparisons of input values to stored values in that column, which makes it easier for remote attackers to conduct data-type injection attacks against Ruby on Rails applications via a crafted value, as demonstrated by unintended interaction between the "typed XML" feature and a MySQL database. | ||||
| CVE-2013-1856 | 1 Rubyonrails | 2 Rails, Ruby On Rails | 2025-04-11 | N/A |
| The ActiveSupport::XmlMini_JDOM backend in lib/active_support/xml_mini/jdom.rb in the Active Support component in Ruby on Rails 3.0.x and 3.1.x before 3.1.12 and 3.2.x before 3.2.13, when JRuby is used, does not properly restrict the capabilities of the XML parser, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving (1) an external DTD or (2) an external entity declaration in conjunction with an entity reference. | ||||
| CVE-2013-1855 | 3 Redhat, Rhel Sam, Rubyonrails | 5 Enterprise Linux, Openshift, 1.4 and 2 more | 2025-04-11 | N/A |
| The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle \n (newline) characters, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences. | ||||
| CVE-2013-0276 | 3 Redhat, Rhel Sam, Rubyonrails | 3 Openshift, 1.2, Rails | 2025-04-11 | N/A |
| ActiveRecord in Ruby on Rails before 2.3.17, 3.1.x before 3.1.11, and 3.2.x before 3.2.12 allows remote attackers to bypass the attr_protected protection mechanism and modify protected model attributes via a crafted request. | ||||