CVSS: 9.8EPSS: 93%CPEs: 5EXPL: 16CVE-2019-5420 – Ruby On Rails - DoubleTap Development Mode secret_key_base Remote Code Execution
https://notcve.org/view.php?id=CVE-2019-5420
27 Mar 2019 — A remote code execution vulnerability in development mode Rails <5.2.2.1, <6.0.0.beta3 can allow an attacker to guess the automatically generated development mode secret token. This secret token can be used in combination with other Rails internals to escalate to a remote code execution exploit. Una vulnerabilidad de ejecución remota de código en el modo de desarrollo de Rails, en versiones anteriores a la 5.2.2.1 y la 6.0.0.beta3, podría permitir que un atacante adivine el token secreto del modo de desarro... • https://packetstorm.news/files/id/152704 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-330: Use of Insufficiently Random Values •
CVSS: 7.8EPSS: 9%CPEs: 11EXPL: 1CVE-2019-5419 – rubygem-actionpack: denial of service vulnerability in Action View
https://notcve.org/view.php?id=CVE-2019-5419
27 Mar 2019 — There is a possible denial of service vulnerability in Action View (Rails) <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 where specially crafted accept headers can cause action view to consume 100% cpu and make the server unresponsive. Hay una posible vulnerabilidad de denegación de servicio (DoS) en la vista de acción en Rails, en versiones anteriores a las 5.2.2.1, 5.1.6.2, 5.0.7.2 y 4.2.11.1 donde las cabeceras de aceptación especialmente manipuladas pueden provocar que dicha vista consuma el 100 % de la CPU y... • http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00011.html • CWE-20: Improper Input Validation CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2017-17916
https://notcve.org/view.php?id=CVE-2017-17916
29 Dec 2017 — SQL injection vulnerability in the 'find_by' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'name' parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input ** EN DISPUTA** Vulnerabilidad de inyección SQL en el método "find_by" en Ruby on Rails 5.1.4 y anteriores permite que atacantes remotos ejecuten comandos SQL arbitrarios mediante el parámetro "name". NOTA: El... • https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.1EPSS: 1%CPEs: 1EXPL: 2CVE-2017-17917
https://notcve.org/view.php?id=CVE-2017-17917
29 Dec 2017 — SQL injection vulnerability in the 'where' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'id' parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input ** EN DISPUTA ** Vulnerabilidad de inyección SQL en el método "where" en Ruby on Rails 5.1.4 y anteriores permite que atacantes remotos ejecuten comandos SQL arbitrarios mediante el parámetro "id". NOTA: El provee... • https://github.com/matiasarenhard/rails-cve-2017-17917 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2014-3916
https://notcve.org/view.php?id=CVE-2014-3916
16 Nov 2014 — The str_buf_cat function in string.c in Ruby 1.9.3, 2.0.0, and 2.1 allows context-dependent attackers to cause a denial of service (segmentation fault and crash) via a long string. La función str_buf_cat en string.c en Ruby 1.9.3, 2.0.0, y 2.1 permite a atacantes dependientes del contexto, provocar una denegación de servicio (fallo de segmentación y caída) mediante una larga cadena de texto. • http://seclists.org/oss-sec/2014/q2/362 • CWE-19: Data Processing Errors •
CVSS: 4.3EPSS: 0%CPEs: 186EXPL: 0CVE-2014-0081 – rubygem-actionpack: number_to_currency, number_to_percentage and number_to_human XSS vulnerability
https://notcve.org/view.php?id=CVE-2014-0081
20 Feb 2014 — Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage, or (c) number_to_human helper. Múltiples vulnerabilidades de XSS en actionview/lib/action_view/helpers/number_helper.rb en Ruby on Rails ante... • http://lists.opensuse.org/opensuse-updates/2014-02/msg00081.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 0CVE-2013-6416
https://notcve.org/view.php?id=CVE-2013-6416
07 Dec 2013 — Cross-site scripting (XSS) vulnerability in the simple_format helper in actionpack/lib/action_view/helpers/text_helper.rb in Ruby on Rails 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted HTML attribute. Vulnerabilidad de XSS en el ayudante simple_format en actionpack/lib/action_view/helpers/text_helper.rb de Ruby on Rails 4.x anterior a la versión 4.0.2 permite a atacantes remotos inyectar script web o HTML arbitrario a través de un atributo HTML manipulado. • http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 108EXPL: 0CVE-2013-4491 – rubygem-actionpack: i18n missing translation XSS
https://notcve.org/view.php?id=CVE-2013-4491
06 Dec 2013 — Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/translation_helper.rb in the internationalization component in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted string that triggers generation of a fallback string by the i18n gem. Vulnerabilidad de cross-site scripting (XSS) en actionpack/lib/action_view/helpers/translation_helper.rb en el componente internationalization en Ruby on Rails 3.x anteri... • http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 70%CPEs: 108EXPL: 1CVE-2013-6414 – rubygem-actionpack: Action View DoS
https://notcve.org/view.php?id=CVE-2013-6414
06 Dec 2013 — actionpack/lib/action_view/lookup_context.rb in Action View in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to cause a denial of service (memory consumption) via a header containing an invalid MIME type that leads to excessive caching. actionpack/lib/action_view/lookup_context.rb en Action View en Ruby on Rails 3.x anteriores a 3.2.16 y 4.x anteriores a 4.0.2 permite a atacantes remotos causar denegación de servicio (consumo de memoria) a través de una cabecera conteniendo un... • https://packetstorm.news/files/id/180516 • CWE-20: Improper Input Validation CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.1EPSS: 1%CPEs: 108EXPL: 0CVE-2013-6415 – rubygem-actionpack: number_to_currency XSS
https://notcve.org/view.php?id=CVE-2013-6415
06 Dec 2013 — Cross-site scripting (XSS) vulnerability in the number_to_currency helper in actionpack/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the unit parameter. Vulnerabilidad Cross-site scripting (XSS) en number_to_currency en actionpack/lib/action_view/helpers/number_helper.rb en Ruby on Rails anterior a v3.2.16 y v4.x anterior a v4.0.2 permite a atacantes remotos inyectar script web o HTML arbitrari... • http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •