CVE-2014-125033 – rails-cv-app uploaded_files_controller.rb path traversal
https://notcve.org/view.php?id=CVE-2014-125033
A vulnerability was found in rails-cv-app. It has been rated as problematic. Affected by this issue is some unknown functionality of the file app/controllers/uploaded_files_controller.rb. The manipulation with the input ../../../etc/passwd leads to path traversal: '.. • https://github.com/bertrand-caron/rails-cv-app/commit/0d20362af0a5f8a126f67c77833868908484a863 https://vuldb.com/?ctiid.217178 https://vuldb.com/?id.217178 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-24: Path Traversal: '../filedir' •
CVE-2020-36190
https://notcve.org/view.php?id=CVE-2020-36190
RailsAdmin (aka rails_admin) before 1.4.3 and 2.x before 2.0.2 allows XSS via nested forms. RailsAdmin (también se conoce como rails_admin) versiones anteriores a 1.4.3 y versiones 2.x anteriores a 2.0.2, permite un ataque de tipo XSS por medio de formularios anidados • https://github.com/sferik/rails_admin/blob/master/README.md https://github.com/sferik/rails_admin/commit/d72090ec6a07c3b9b7b48ab50f3d405f91ff4375 https://github.com/sferik/rails_admin/compare/v1.4.2...v1.4.3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2016-10522
https://notcve.org/view.php?id=CVE-2016-10522
rails_admin ruby gem <v1.1.1 is vulnerable to cross-site request forgery (CSRF) attacks. Non-GET methods were not validating CSRF tokens and, as a result, an attacker could hypothetically gain access to the application administrative endpoints exposed by the gem. La gema de ruby rails_admin ruby gem en versiones anteriores a la v1.1.1 es vulnerable a ataques de Cross-Site Request Forgery (CSRF). Los métodos non-GET no validaban los tokens CSRF y, como resultado, un atacante podría obtener acceso a los endpoints administrativos de la aplicación expuestos por la gema. • https://github.com/sferik/rails_admin/commit/b13e879eb93b661204e9fb5e55f7afa4f397537a https://www.sourceclear.com/blog/Rails_admin-Vulnerability-Disclosure https://www.sourceclear.com/registry/security/cross-site-request-forgery-csrf-/ruby/sid-3173 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2017-12098
https://notcve.org/view.php?id=CVE-2017-12098
An exploitable cross site scripting (XSS) vulnerability exists in the add filter functionality of the rails_admin rails gem version 1.2.0. A specially crafted URL can cause an XSS flaw resulting in an attacker being able to execute arbitrary javascript on the victim's browser. An attacker can phish an authenticated user to trigger this vulnerability. Existe una vulnerabilidad de Cross-Site Scripting (XSS) explotable en la funcionalidad add filter de la gema de rails rails_admin en su versión 1.2.0. Una URL especialmente manipulada puede provocar un error de XSS, lo que lleva a que un atacante pueda ejecutar JavaScript arbitrario en el navegador de la víctima. • http://www.securityfocus.com/bid/102486 https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0450 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2013-1756
https://notcve.org/view.php?id=CVE-2013-1756
The Dragonfly gem 0.7 before 0.8.6 and 0.9.x before 0.9.13 for Ruby, when used with Ruby on Rails, allows remote attackers to execute arbitrary code via a crafted request. La gema Dragonfly 0.7 anterior a 0.8.6 y 0.9.x anterior a 0.9.13 para Ruby, cuando se utiliza con Ruby on Rails, permite a atacantes remotos ejecutar código arbitrario a través de una solicitud manipulada. • http://secunia.com/advisories/52380 http://www.securityfocus.com/bid/58225 https://exchange.xforce.ibmcloud.com/vulnerabilities/82476 https://github.com/markevans/dragonfly/commit/a8775aacf9e5c81cf11bec34b7afa7f27ddfe277 https://groups.google.com/forum/?fromgroups=#%21topic/dragonfly-users/3c3WIU3VQTo • CWE-94: Improper Control of Generation of Code ('Code Injection') •