Page 15 of 90 results (0.012 seconds)

CVSS: 7.5EPSS: 0%CPEs: 59EXPL: 0

Multiple SQL injection vulnerabilities in the quote_table_name method in the ActiveRecord adapters in activerecord/lib/active_record/connection_adapters/ in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow remote attackers to execute arbitrary SQL commands via a crafted column name. Múltiples vulnerabilidades de inyección SQL en el método quote_table_name en el adaptador ActiveRecord de activerecord/lib/active_record/connection_adapters/ in Ruby on Rails antes de v2.3.13, v3.0.x antes de v3.0.10, y v3.1.x antes de v3.1.0.rc5, permite a atacantes remotos ejecutar comandos SQL de su elección a través de un nombre de columna modificado. • http://groups.google.com/group/rubyonrails-security/msg/b1a85d36b0f9dd30?dmode=source&output=gplain http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6 http://www.debian.org/security/2011/dsa-2301 http://www.openwall.com/lists/oss-security/2011/08/17/1 http://www.openwall.com/lists/oss-security/2011/08/19/11 http://www.openwall.com/lists/oss-security/2011/08/20/1 http://www&# • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 4.3EPSS: 0%CPEs: 59EXPL: 0

Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails 2.x before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a malformed Unicode string, related to a "UTF-8 escaping vulnerability." Vulnerabilidad de ejecución de secuencias comandos en sitios cruzados (XSS) en activesupport/lib/active_support/core_ext/string/output_safety.rb en Ruby on Rails v2.x antes de v2.3.13, v3.0.x antes de v3.0.10, y v3.1.x antes de v3.1.0.rc5 permite a atacantes remotos ejecutar secuencias de comandos web o HTML a través de cadenas Unicode malformadas, relacionado con una "vulnerabilidad de escapado UTF-8" • http://groups.google.com/group/rubyonrails-security/msg/f1d2749773db9f21?dmode=source&output=gplain http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065114.html http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065189.html http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html http://secunia.com/advisories/45917 http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6 http://www.openwall.com/lists/oss-security/2011/08/17/1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.3EPSS: 1%CPEs: 1EXPL: 4

The to_s method in actionpack/lib/action_dispatch/middleware/remote_ip.rb in Ruby on Rails 3.0.5 does not validate the X-Forwarded-For header in requests from IP addresses on a Class C network, which might allow remote attackers to inject arbitrary text into log files or bypass intended address parsing via a crafted header. El método to_s en actionpack/lib/action_dispatch/middleware/remote_ip.rb en Ruby on Rails v3.0.5 no valida la cabecera X-Forwarded-For de las peticiones de direcciones IP en una red de Clase C, lo que podría permitir a atacantes remotos la ejecución de documentos de texto en los archivos de registro o evitar análisis de direcciones intencionadas a través de una cabecera modificada. • https://www.exploit-db.com/exploits/35352 http://archives.neohapsis.com/archives/fulldisclosure/2011-02/0337.html http://webservsec.blogspot.com/2011/02/ruby-on-rails-vulnerability.html http://www.openwall.com/lists/oss-security/2011/08/17/1 http://www.openwall.com/lists/oss-security/2011/08/19/11 http://www.openwall.com/lists/oss-security/2011/08/20/1 http://www.openwall.com/lists/oss-security/2011/08/22/13 http://www.openwall.com/lists/oss-security/2011/08& • CWE-20: Improper Input Validation •

CVSS: 4.3EPSS: 0%CPEs: 59EXPL: 0

Cross-site scripting (XSS) vulnerability in the strip_tags helper in actionpack/lib/action_controller/vendor/html-scanner/html/node.rb in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a tag with an invalid name. Vulnerabilidad de ejecución de secuencias comandos en sitios cruzados (XSS) en strip_tags de actionpack/lib/action_controller/vendor/html-scanner/html/node.rb en Ruby on Rails v2.x antes de v2.3.13, v3.0.x antes de v3.0.10, y v3.1.x antes de v3.1.0.rc5 permite a atacantes remotos ejecutar secuencias de comandos web o HTML a través una etiqueta con un nombre no válido. • http://groups.google.com/group/rubyonrails-security/msg/fd41ab62966e0fd1?dmode=source&output=gplain http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065109.html http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065137.html http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html http://secunia.com/advisories/45921 http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6 http://www.debian.org/security/2011/dsa-2301 http:// • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.3EPSS: 0%CPEs: 47EXPL: 0

The cross-site scripting (XSS) prevention feature in Ruby on Rails 2.x before 2.3.12, 3.0.x before 3.0.8, and 3.1.x before 3.1.0.rc2 does not properly handle mutation of safe buffers, which makes it easier for remote attackers to conduct XSS attacks via crafted strings to an application that uses a problematic string method, as demonstrated by the sub method. La característica de prevención de secuencias de comandos en sitios cruzados (XSS) de Ruby en Rails v2.x anterior a v2.3.12, v3.0.x anterior a v3.0.8, y v3.1.x anterior a v3.1.0.rc2 no maneja adecuadamente la mutación de búfers seguros, esto facilita a los atacantes remotos provocar ataques XSS a través de cadenas manipuladas de una aplicación que usa un método de cadena problemático, como se ha demostrado con el sub-método. • http://groups.google.com/group/rubyonrails-security/msg/663b600d4471e0d4?dmode=source&output=gplain http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062514.html http://lists.fedoraproject.org/pipermail/package-announce/2011-June/062090.html http://openwall.com/lists/oss-security/2011/06/09/2 http://openwall.com/lists/oss-security/2011/06/13/9 http://secunia.com/advisories/44789 http://weblog.rubyonrails.org/2011/6/8/potential-xss-vulnerability-in-ruby-on-rails-applications • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •