CVSS: 7.5EPSS: 5%CPEs: 15EXPL: 0CVE-2013-0175
https://notcve.org/view.php?id=CVE-2013-0175
multi_xml gem 0.5.2 for Ruby, as used in Grape before 0.2.6 and possibly other products, does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156. multi_xml v0.5.2 de Ruby, tal como se utiliza en Grape antes de v0.2.6 y posiblemente otros productos, no restringe debidamente vaciados de valores de cadena, lo que permite a atacantes remotos realizar ataques de inyección a objetos y ejecutar código arbitrario o causar una denegación de servicio (consumo de memoria y CPU) que implica anidadas referencias de entidad XML, mediante el aprovechamiento de apoyo (1) YAML conversión de tipo o (2) la conversión de tipos Symbol, una vulnerabilidad similar a CVE-2013-0156. • http://www.openwall.com/lists/oss-security/2013/01/11/9 https://gist.github.com/nate/d7f6d9f4925f413621aa https://github.com/sferik/multi_xml/pull/34 https://groups.google.com/forum/?fromgroups=#%21topic/ruby-grape/fthDkMgIOa0 https://news.ycombinator.com/item?id=5040457 • CWE-20: Improper Input Validation •
CVSS: 9.3EPSS: 0%CPEs: 2EXPL: 0CVE-2013-1947
https://notcve.org/view.php?id=CVE-2013-1947
kelredd-pruview gem 0.3.8 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a filename argument to (1) document.rb, (2) video.rb, or (3) video_image.rb. kelredd-pruview v0.3.8 para Ruby permite a atacantes dependientes de contexto ejecutar comandos arbitrarios vía metacaracteres de shell en un argumento de nombre de archivo a (1) document.rb, (2) video.rb, o (3) video_image.rb. • http://www.openwall.com/lists/oss-security/2013/04/10/3 http://www.openwall.com/lists/oss-security/2013/04/12/2 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.8EPSS: 9%CPEs: 17EXPL: 2CVE-2013-0233 – Ruby On Rails Devise Authentication Password Reset
https://notcve.org/view.php?id=CVE-2013-0233
Devise gem 2.2.x before 2.2.3, 2.1.x before 2.1.3, 2.0.x before 2.0.5, and 1.5.x before 1.5.4 for Ruby, when using certain databases, does not properly perform type conversion when performing database queries, which might allow remote attackers to cause incorrect results to be returned and bypass security checks via unknown vectors, as demonstrated by resetting passwords of arbitrary accounts. Devise v2.2.x antes de v2.2.3, v2.1.x antes de v2.1.3, v2.0.x antes de v2.0.5, v1.5.x antes de v1.5.4 de Ruby, al utilizar ciertas bases de datos, no funciona correctamente cuando se realiza la conversión de tipos consultas de base de datos, lo que podría permitir a atacantes remotos provocar resultados incorrectos para ser devueltos y eludir los controles de seguridad a través de vectores desconocidos, como lo demuestra restablecer las contraseñas de las cuentas arbitrarias. • http://blog.plataformatec.com.br/2013/01/security-announcement-devise-v2-2-3-v2-1-3-v2-0-5-and-v1-5-3-released http://lists.opensuse.org/opensuse-updates/2013-03/msg00000.html http://www.metasploit.com/modules/auxiliary/admin/http/rails_devise_pass_reset http://www.openwall.com/lists/oss-security/2013/01/29/3 http://www.phenoelit.org/blog/archives/2013/02/05/mysql_madness_and_rails/index.html http://www.securityfocus.com/bid/57577 https://github.com/Snorby/snorby/i • CWE-399: Resource Management Errors •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2013-1948 – Ruby Gem md2pdf Command Injection
https://notcve.org/view.php?id=CVE-2013-1948
converter.rb in the md2pdf gem 0.0.1 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a filename. converter.rb del md2pdf para Ruby v0.0.1 permite a atacantes dependientes de contexto para ejecutar comandos arbitrarios vía metacaracteres de shell en un nombre de archivo. Ruby Gem md2pdf suffers from a remote command injection vulnerability. • http://osvdb.org/92290 http://vapid.dhs.org/advisories/md2pdf-remote-exec.html http://www.securityfocus.com/bid/59061 https://exchange.xforce.ibmcloud.com/vulnerabilities/83416 •
CVSS: 9.3EPSS: 0%CPEs: 2EXPL: 0CVE-2013-1933 – Ruby Gem Karteek Docsplit 0.5.4 Command Injection
https://notcve.org/view.php?id=CVE-2013-1933
The extract_from_ocr function in lib/docsplit/text_extractor.rb in the Karteek Docsplit (karteek-docsplit) gem 0.5.4 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a PDF filename. La función extract_from_ocr en lib/docsplit/text_extractor.rb en el Karteek Docsplit (karteek-docsplit) v0.5.4 para Ruby permite a atacantes dependientes de contexto para ejecutar comandos arbitrarios vía metacaracteres de shell en un nombre de archivo PDF. Ruby Gem Karteek Docsplit version 0.5.4 fails to sanitize user-supplied input. If a user is tricked into extracting a file with shell characters in the name, code can be executed remotely. • http://osvdb.org/92117 http://vapid.dhs.org/advisories/karteek-docsplit-cmd-inject.html http://www.openwall.com/lists/oss-security/2013/04/08/15 https://exchange.xforce.ibmcloud.com/vulnerabilities/83277 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •