CVSS: 7.5EPSS: 11%CPEs: 103EXPL: 0CVE-2014-0082 – rubygem-actionpack: Action View string handling denial of service
https://notcve.org/view.php?id=CVE-2014-0082
20 Feb 2014 — actionpack/lib/action_view/template/text.rb in Action View in Ruby on Rails 3.x before 3.2.17 converts MIME type strings to symbols during use of the :text option to the render method, which allows remote attackers to cause a denial of service (memory consumption) by including these strings in headers. actionpack/lib/action_view/template/text.rb en Action View en Ruby on Rails 3.x anterior a 3.2.17 convierte cadenas tipo MIME a símbolos durante el uso de la opción :text al método render, lo que permite a at... • http://lists.opensuse.org/opensuse-updates/2014-02/msg00081.html • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 70%CPEs: 108EXPL: 1CVE-2013-6414 – rubygem-actionpack: Action View DoS
https://notcve.org/view.php?id=CVE-2013-6414
06 Dec 2013 — actionpack/lib/action_view/lookup_context.rb in Action View in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to cause a denial of service (memory consumption) via a header containing an invalid MIME type that leads to excessive caching. actionpack/lib/action_view/lookup_context.rb en Action View en Ruby on Rails 3.x anteriores a 3.2.16 y 4.x anteriores a 4.0.2 permite a atacantes remotos causar denegación de servicio (consumo de memoria) a través de una cabecera conteniendo un... • https://packetstorm.news/files/id/180516 • CWE-20: Improper Input Validation CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.1EPSS: 1%CPEs: 108EXPL: 0CVE-2013-6415 – rubygem-actionpack: number_to_currency XSS
https://notcve.org/view.php?id=CVE-2013-6415
06 Dec 2013 — Cross-site scripting (XSS) vulnerability in the number_to_currency helper in actionpack/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the unit parameter. Vulnerabilidad Cross-site scripting (XSS) en number_to_currency en actionpack/lib/action_view/helpers/number_helper.rb en Ruby on Rails anterior a v3.2.16 y v4.x anterior a v4.0.2 permite a atacantes remotos inyectar script web o HTML arbitrari... • http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 108EXPL: 0CVE-2013-6417 – rubygem-actionpack: unsafe query generation risk (incomplete fix for CVE-2013- 0155)
https://notcve.org/view.php?id=CVE-2013-6417
06 Dec 2013 — actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware. NOTE: this vulnerability exists because of an incompl... • http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.1EPSS: 0%CPEs: 108EXPL: 0CVE-2013-4491 – rubygem-actionpack: i18n missing translation XSS
https://notcve.org/view.php?id=CVE-2013-4491
06 Dec 2013 — Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/translation_helper.rb in the internationalization component in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted string that triggers generation of a fallback string by the i18n gem. Vulnerabilidad de cross-site scripting (XSS) en actionpack/lib/action_view/helpers/translation_helper.rb en el componente internationalization en Ruby on Rails 3.x anteri... • http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 163EXPL: 0CVE-2013-1855 – rubygem-actionpack: css_sanitization: XSS vulnerability in sanitize_css
https://notcve.org/view.php?id=CVE-2013-1855
19 Mar 2013 — The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle \n (newline) characters, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences. El método sanitize_css en lib/action_controller/vendor/html-scanner/html/sanitizer.rb en el componente Action Pa... • http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 163EXPL: 0CVE-2013-1857 – rubygem-actionpack: sanitize_protocol: XSS Vulnerability in the helper of Ruby on Rails
https://notcve.org/view.php?id=CVE-2013-1857
19 Mar 2013 — The sanitize helper in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle encoded : (colon) characters in URLs, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted scheme name, as demonstrated by including a : sequence. El sanitize helper en lib/action_controller/vendor/html-scanner/html/sanitizer.rb en e... • http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 93%CPEs: 6EXPL: 11CVE-2013-0156 – Ruby on Rails - Known Secret Session Cookie Remote Code Execution
https://notcve.org/view.php?id=CVE-2013-0156
13 Jan 2013 — active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion. active_support/core_ext/hash/conv... • https://packetstorm.news/files/id/181043 • CWE-20: Improper Input Validation CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 2%CPEs: 84EXPL: 1CVE-2012-6496 – rubygem-activerecord: find_by_* SQL Injection
https://notcve.org/view.php?id=CVE-2012-6496
04 Jan 2013 — SQL injection vulnerability in the Active Record component in Ruby on Rails before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behavior of dynamic finders in applications that can use unexpected data types in certain find_by_ method calls. Vulnerabilidad de inyección SQL en el componente Active Record en Ruby on Rails antes de v3.0.18, v3.1.x antes de v3.1.9, y v3.2.x antes de v3.2.10, permite a ... • http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 142EXPL: 0CVE-2012-3464 – rubygem-actionpack: potential XSS vulnerability
https://notcve.org/view.php?id=CVE-2012-3464
10 Aug 2012 — Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 might allow remote attackers to inject arbitrary web script or HTML via vectors involving a ' (quote) character. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en activesupport/lib/active_support/core_ext/string/output_safety.rb en Ruby on Rails anteriores a v3.0.17, v3.1.x anterior... • http://rhn.redhat.com/errata/RHSA-2013-0154.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •