CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2012-6497
https://notcve.org/view.php?id=CVE-2012-6497
04 Jan 2013 — The Authlogic gem for Ruby on Rails, when used with certain versions before 3.2.10, makes potentially unsafe find_by_id method calls, which might allow remote attackers to conduct CVE-2012-6496 SQL injection attacks via a crafted parameter in environments that have a known secret_token value, as demonstrated by a value contained in secret_token.rb in an open-source product. La gema Authlogic para Ruby on Rails, cuando se utiliza con algunas versiones antes de v3.2.10, hace llamadas al método find_by_id pote... • http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 2%CPEs: 84EXPL: 1CVE-2012-6496 – rubygem-activerecord: find_by_* SQL Injection
https://notcve.org/view.php?id=CVE-2012-6496
04 Jan 2013 — SQL injection vulnerability in the Active Record component in Ruby on Rails before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behavior of dynamic finders in applications that can use unexpected data types in certain find_by_ method calls. Vulnerabilidad de inyección SQL en el componente Active Record en Ruby on Rails antes de v3.0.18, v3.1.x antes de v3.1.9, y v3.2.x antes de v3.2.10, permite a ... • http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 80EXPL: 0CVE-2012-3463 – rubygem-actionpack: potential XSS vulnerability in select_tag prompt
https://notcve.org/view.php?id=CVE-2012-3463
10 Aug 2012 — Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_tag_helper.rb in Ruby on Rails 3.x before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via the prompt field to the select_tag helper. Vulnerabilidad de ejecución de comandos en sitios cruzados (XSS) en actionpack/lib/action_view/helpers/form_tag_helper.rb en Ruby on Rails v3.x anterior a v3.0.17, v3.1.x anterior a v3.1.8, y v3.2.x anterior a v3.2.8 permite ... • http://rhn.redhat.com/errata/RHSA-2013-0154.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 142EXPL: 0CVE-2012-3464 – rubygem-actionpack: potential XSS vulnerability
https://notcve.org/view.php?id=CVE-2012-3464
10 Aug 2012 — Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 might allow remote attackers to inject arbitrary web script or HTML via vectors involving a ' (quote) character. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en activesupport/lib/active_support/core_ext/string/output_safety.rb en Ruby on Rails anteriores a v3.0.17, v3.1.x anterior... • http://rhn.redhat.com/errata/RHSA-2013-0154.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 142EXPL: 0CVE-2012-3465 – rubygem-actionpack: XSS Vulnerability in strip_tags
https://notcve.org/view.php?id=CVE-2012-3465
10 Aug 2012 — Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/sanitize_helper.rb in the strip_tags helper in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via malformed HTML markup. Cross-site scripting (XSS) en actionpack/lib/action_view/helpers/sanitize_helper.rb en el (helper) strip_tags en Ruby on Rails anterior a v3.0.17, v3.1.x anterior a v3.1.8, y v3.2.x anterio a v3.2.8 permite a atacantes remot... • http://rhn.redhat.com/errata/RHSA-2013-0154.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 1%CPEs: 77EXPL: 0CVE-2012-3424 – rubygem-actionpack: DoS vulnerability in authenticate_or_request_with_http_digest
https://notcve.org/view.php?id=CVE-2012-3424
08 Aug 2012 — The decode_credentials method in actionpack/lib/action_controller/metal/http_authentication.rb in Ruby on Rails 3.x before 3.0.16, 3.1.x before 3.1.7, and 3.2.x before 3.2.7 converts Digest Authentication strings to symbols, which allows remote attackers to cause a denial of service by leveraging access to an application that uses a with_http_digest helper method, as demonstrated by the authenticate_or_request_with_http_digest method. El método decode_credentials method en actionpack/lib/action_controller/m... • http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html • CWE-287: Improper Authentication •
CVSS: 6.8EPSS: 4%CPEs: 139EXPL: 0CVE-2007-6077 – Gentoo Linux Security Advisory 200912-2
https://notcve.org/view.php?id=CVE-2007-6077
21 Nov 2007 — The session fixation protection mechanism in cgi_process.rb in Rails 1.2.4, as used in Ruby on Rails, removes the :cookie_only attribute from the DEFAULT_SESSION_OPTIONS constant, which effectively causes cookie_only to be applied only to the first instantiation of CgiRequest, which allows remote attackers to conduct session fixation attacks. NOTE: this is due to an incomplete fix for CVE-2007-5380. El mecanismo de protección de fijación de sesión en el archivo cgi_process.rb en Rails versión 1.2.4, como es... • http://dev.rubyonrails.org/changeset/8177 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •