CVE-2013-1947
https://notcve.org/view.php?id=CVE-2013-1947
kelredd-pruview gem 0.3.8 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a filename argument to (1) document.rb, (2) video.rb, or (3) video_image.rb. kelredd-pruview v0.3.8 para Ruby permite a atacantes dependientes de contexto ejecutar comandos arbitrarios vía metacaracteres de shell en un argumento de nombre de archivo a (1) document.rb, (2) video.rb, o (3) video_image.rb. • http://www.openwall.com/lists/oss-security/2013/04/10/3 http://www.openwall.com/lists/oss-security/2013/04/12/2 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2013-0233 – Ruby On Rails Devise Authentication Password Reset
https://notcve.org/view.php?id=CVE-2013-0233
Devise gem 2.2.x before 2.2.3, 2.1.x before 2.1.3, 2.0.x before 2.0.5, and 1.5.x before 1.5.4 for Ruby, when using certain databases, does not properly perform type conversion when performing database queries, which might allow remote attackers to cause incorrect results to be returned and bypass security checks via unknown vectors, as demonstrated by resetting passwords of arbitrary accounts. Devise v2.2.x antes de v2.2.3, v2.1.x antes de v2.1.3, v2.0.x antes de v2.0.5, v1.5.x antes de v1.5.4 de Ruby, al utilizar ciertas bases de datos, no funciona correctamente cuando se realiza la conversión de tipos consultas de base de datos, lo que podría permitir a atacantes remotos provocar resultados incorrectos para ser devueltos y eludir los controles de seguridad a través de vectores desconocidos, como lo demuestra restablecer las contraseñas de las cuentas arbitrarias. • http://blog.plataformatec.com.br/2013/01/security-announcement-devise-v2-2-3-v2-1-3-v2-0-5-and-v1-5-3-released http://lists.opensuse.org/opensuse-updates/2013-03/msg00000.html http://www.metasploit.com/modules/auxiliary/admin/http/rails_devise_pass_reset http://www.openwall.com/lists/oss-security/2013/01/29/3 http://www.phenoelit.org/blog/archives/2013/02/05/mysql_madness_and_rails/index.html http://www.securityfocus.com/bid/57577 https://github.com/Snorby/snorby/i • CWE-399: Resource Management Errors •
CVE-2013-1948 – Ruby Gem md2pdf Command Injection
https://notcve.org/view.php?id=CVE-2013-1948
converter.rb in the md2pdf gem 0.0.1 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a filename. converter.rb del md2pdf para Ruby v0.0.1 permite a atacantes dependientes de contexto para ejecutar comandos arbitrarios vía metacaracteres de shell en un nombre de archivo. Ruby Gem md2pdf suffers from a remote command injection vulnerability. • http://osvdb.org/92290 http://vapid.dhs.org/advisories/md2pdf-remote-exec.html http://www.securityfocus.com/bid/59061 https://exchange.xforce.ibmcloud.com/vulnerabilities/83416 •
CVE-2013-1933 – Ruby Gem Karteek Docsplit 0.5.4 Command Injection
https://notcve.org/view.php?id=CVE-2013-1933
The extract_from_ocr function in lib/docsplit/text_extractor.rb in the Karteek Docsplit (karteek-docsplit) gem 0.5.4 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a PDF filename. La función extract_from_ocr en lib/docsplit/text_extractor.rb en el Karteek Docsplit (karteek-docsplit) v0.5.4 para Ruby permite a atacantes dependientes de contexto para ejecutar comandos arbitrarios vía metacaracteres de shell en un nombre de archivo PDF. Ruby Gem Karteek Docsplit version 0.5.4 fails to sanitize user-supplied input. If a user is tricked into extracting a file with shell characters in the name, code can be executed remotely. • http://osvdb.org/92117 http://vapid.dhs.org/advisories/karteek-docsplit-cmd-inject.html http://www.openwall.com/lists/oss-security/2013/04/08/15 https://exchange.xforce.ibmcloud.com/vulnerabilities/83277 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2013-1911
https://notcve.org/view.php?id=CVE-2013-1911
lib/ldoce/word.rb in the ldoce 0.0.2 gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in (1) an mp3 URL or (2) file name. lib/ldoce/word.rb en el gem ldoce 0.0.2 para Ruby, permite a atacantes remotos ejecutar comandos arbitrarios a través de meta caracteres de consola en (1) un mp3 o URL, o (2) en un nombre de archivo. • http://archives.neohapsis.com/archives/bugtraq/2013-04/0010.html http://osvdb.org/91870 http://otiose.dhs.org/advisories/ldoce-0.0.2-cmd-exec.html http://www.openwall.com/lists/oss-security/2013/03/31/3 http://www.securityfocus.com/bid/58783 https://exchange.xforce.ibmcloud.com/vulnerabilities/83163 • CWE-20: Improper Input Validation •