CVSS: 4.3EPSS: 0%CPEs: 137EXPL: 0CVE-2014-7818
https://notcve.org/view.php?id=CVE-2014-7818
08 Nov 2014 — Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and 4.2.x before 4.2.0.beta3, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via a /..%2F sequence. Vulnerabilidad de salto de directorio en actionpack/lib/action_dispatch/middleware/static.rb en Action Pack en Ruby on Rails 3.x anterior a 3.2.20, 4.0.... • http://lists.opensuse.org/opensuse-updates/2014-11/msg00112.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.1EPSS: 0%CPEs: 28EXPL: 0CVE-2014-3514 – rubygem-activerecord: Strong Parameter bypass with create_with
https://notcve.org/view.php?id=CVE-2014-3514
20 Aug 2014 — activerecord/lib/active_record/relation/query_methods.rb in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection mechanism via crafted input to an application that makes create_with calls. activerecord/lib/active_record/relation/query_methods.rb en Active Record en Ruby on Rails 4.0.x anterior a 4.0.9 y 4.1.x anterior a 4.1.5 permite a atacantes remotos evadir el mecanismo de protección de parámetros fuertes a través de e... • http://openwall.com/lists/oss-security/2014/08/18/10 • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.8EPSS: 1%CPEs: 24EXPL: 0CVE-2014-3483 – rubygem-activerecord: SQL injection vulnerability in 'range' quoting
https://notcve.org/view.php?id=CVE-2014-3483
07 Jul 2014 — SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 4.x before 4.0.7 and 4.1.x before 4.1.3 allows remote attackers to execute arbitrary SQL commands by leveraging improper range quoting. Vulnerabilidad de inyección SQL en activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb en el adaptador PostgreSQL para Active Record en Ruby on Rails 4.x anterior a 4.0.7 y 4.1.x anterior a ... • http://openwall.com/lists/oss-security/2014/07/02/5 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •