CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2014-125054 – koroket RedditOnRails Vote access control
https://notcve.org/view.php?id=CVE-2014-125054
07 Jan 2023 — A vulnerability classified as critical was found in koroket RedditOnRails. This vulnerability affects unknown code of the component Vote Handler. The manipulation leads to improper access controls. The attack can be initiated remotely. The patch is identified as 7f3c7407d95d532fcc342b00d68d0ea09ca71030. • https://github.com/koroket/RedditOnRails/commit/7f3c7407d95d532fcc342b00d68d0ea09ca71030 • CWE-284: Improper Access Control •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2014-125033 – rails-cv-app uploaded_files_controller.rb path traversal
https://notcve.org/view.php?id=CVE-2014-125033
02 Jan 2023 — A vulnerability was found in rails-cv-app. It has been rated as problematic. Affected by this issue is some unknown functionality of the file app/controllers/uploaded_files_controller.rb. The manipulation with the input ../../../etc/passwd leads to path traversal: '.. • https://github.com/bertrand-caron/rails-cv-app/commit/0d20362af0a5f8a126f67c77833868908484a863 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-24: Path Traversal: '../filedir' •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2020-36190
https://notcve.org/view.php?id=CVE-2020-36190
12 Jan 2021 — RailsAdmin (aka rails_admin) before 1.4.3 and 2.x before 2.0.2 allows XSS via nested forms. RailsAdmin (también se conoce como rails_admin) versiones anteriores a 1.4.3 y versiones 2.x anteriores a 2.0.2, permite un ataque de tipo XSS por medio de formularios anidados • https://github.com/sferik/rails_admin/blob/master/README.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2017-12098
https://notcve.org/view.php?id=CVE-2017-12098
19 Jan 2018 — An exploitable cross site scripting (XSS) vulnerability exists in the add filter functionality of the rails_admin rails gem version 1.2.0. A specially crafted URL can cause an XSS flaw resulting in an attacker being able to execute arbitrary javascript on the victim's browser. An attacker can phish an authenticated user to trigger this vulnerability. Existe una vulnerabilidad de Cross-Site Scripting (XSS) explotable en la funcionalidad add filter de la gema de rails rails_admin en su versión 1.2.0. Una URL ... • http://www.securityfocus.com/bid/102486 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 2%CPEs: 27EXPL: 0CVE-2013-1756
https://notcve.org/view.php?id=CVE-2013-1756
09 Jun 2014 — The Dragonfly gem 0.7 before 0.8.6 and 0.9.x before 0.9.13 for Ruby, when used with Ruby on Rails, allows remote attackers to execute arbitrary code via a crafted request. La gema Dragonfly 0.7 anterior a 0.8.6 y 0.9.x anterior a 0.9.13 para Ruby, cuando se utiliza con Ruby on Rails, permite a atacantes remotos ejecutar código arbitrario a través de una solicitud manipulada. • http://secunia.com/advisories/52380 • CWE-94: Improper Control of Generation of Code ('Code Injection') •