CVSS: 6.1EPSS: 0%CPEs: 108EXPL: 0CVE-2013-6415 – rubygem-actionpack: number_to_currency XSS
https://notcve.org/view.php?id=CVE-2013-6415
06 Dec 2013 — Cross-site scripting (XSS) vulnerability in the number_to_currency helper in actionpack/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the unit parameter. Vulnerabilidad Cross-site scripting (XSS) en number_to_currency en actionpack/lib/action_view/helpers/number_helper.rb en Ruby on Rails anterior a v3.2.16 y v4.x anterior a v4.0.2 permite a atacantes remotos inyectar script web o HTML arbitrari... • http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 108EXPL: 0CVE-2013-6417 – rubygem-actionpack: unsafe query generation risk (incomplete fix for CVE-2013- 0155)
https://notcve.org/view.php?id=CVE-2013-6417
06 Dec 2013 — actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware. NOTE: this vulnerability exists because of an incompl... • http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 1CVE-2013-4389 – Debian Security Advisory 2888-1
https://notcve.org/view.php?id=CVE-2013-4389
17 Oct 2013 — Multiple format string vulnerabilities in log_subscriber.rb files in the log subscriber component in Action Mailer in Ruby on Rails 3.x before 3.2.15 allow remote attackers to cause a denial of service via a crafted e-mail address that is improperly handled during construction of a log message. Múltiples vulnerabilidadews de format string en archivos log_subscriber.rb en el componente de suscripción de log de Action Mailer en Ruby on Rails 3.x anterior a 3.2.15 permite a atacantes remotos causar una denegac... • http://lists.opensuse.org/opensuse-updates/2013-12/msg00091.html • CWE-134: Use of Externally-Controlled Format String •
CVSS: 7.3EPSS: 0%CPEs: 104EXPL: 1CVE-2013-3221
https://notcve.org/view.php?id=CVE-2013-3221
22 Apr 2013 — The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, and 3.2.x does not ensure that the declared data type of a database column is used during comparisons of input values to stored values in that column, which makes it easier for remote attackers to conduct data-type injection attacks against Ruby on Rails applications via a crafted value, as demonstrated by unintended interaction between the "typed XML" feature and a MySQL database. El componente Active Record en Ruby on Rails 2.3.x, 3.0.x, 3.... • http://openwall.com/lists/oss-security/2013/02/06/7 • CWE-20: Improper Input Validation •
CVSS: 5.8EPSS: 1%CPEs: 47EXPL: 0CVE-2013-1856 – Gentoo Linux Security Advisory 201412-28
https://notcve.org/view.php?id=CVE-2013-1856
19 Mar 2013 — The ActiveSupport::XmlMini_JDOM backend in lib/active_support/xml_mini/jdom.rb in the Active Support component in Ruby on Rails 3.0.x and 3.1.x before 3.1.12 and 3.2.x before 3.2.13, when JRuby is used, does not properly restrict the capabilities of the XML parser, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving (1) an external DTD or (2) an external entity declaration in conjunction with an entity reference. El backend ActiveSu... • http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html • CWE-20: Improper Input Validation •
CVSS: 6.1EPSS: 0%CPEs: 163EXPL: 0CVE-2013-1855 – rubygem-actionpack: css_sanitization: XSS vulnerability in sanitize_css
https://notcve.org/view.php?id=CVE-2013-1855
19 Mar 2013 — The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle \n (newline) characters, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences. El método sanitize_css en lib/action_controller/vendor/html-scanner/html/sanitizer.rb en el componente Action Pa... • http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 163EXPL: 0CVE-2013-1857 – rubygem-actionpack: sanitize_protocol: XSS Vulnerability in the helper of Ruby on Rails
https://notcve.org/view.php?id=CVE-2013-1857
19 Mar 2013 — The sanitize helper in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle encoded : (colon) characters in URLs, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted scheme name, as demonstrated by including a : sequence. El sanitize helper en lib/action_controller/vendor/html-scanner/html/sanitizer.rb en e... • http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 8%CPEs: 62EXPL: 0CVE-2013-1854 – rubygem-activerecord: attribute_dos Symbol DoS vulnerability
https://notcve.org/view.php?id=CVE-2013-1854
19 Mar 2013 — The Active Record component in Ruby on Rails 2.3.x before 2.3.18, 3.1.x before 3.1.12, and 3.2.x before 3.2.13 processes certain queries by converting hash keys to symbols, which allows remote attackers to cause a denial of service via crafted input to a where method. El componente Active Record en Ruby on Rails v2.3.x anterior a v2.3.18, v3.1.x anterior a v3.1.12, y v3.2.x anterior a v3.2.13, procesa determinadas consultas mediante la conversión de los hash de las claves a símbolos, lo que permite a atacan... • http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html • CWE-20: Improper Input Validation CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 1%CPEs: 58EXPL: 0CVE-2013-0276 – rubygem-activerecord/rubygem-activemodel: circumvention of attr_protected
https://notcve.org/view.php?id=CVE-2013-0276
13 Feb 2013 — ActiveRecord in Ruby on Rails before 2.3.17, 3.1.x before 3.1.11, and 3.2.x before 3.2.12 allows remote attackers to bypass the attr_protected protection mechanism and modify protected model attributes via a crafted request. ActiveRecord en Ruby on Rails v3.2.x anteriores a v3.2.12, v3.1.x anteriores a v3.1.11, y v2.3.x anteriores a v2.3.17 permite a atacantes remotos evitar el mecanismo de protección "attr_protected" y modificar el modelo de atributos protegidos a través de una petición hecha a mano. Multi... • http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 10.0EPSS: 12%CPEs: 59EXPL: 0CVE-2013-0277 – Gentoo Linux Security Advisory 201412-28
https://notcve.org/view.php?id=CVE-2013-0277
13 Feb 2013 — ActiveRecord in Ruby on Rails before 2.3.17 and 3.x before 3.1.0 allows remote attackers to cause a denial of service or execute arbitrary code via crafted serialized attributes that cause the +serialize+ helper to deserialize arbitrary YAML. Active Record en Ruby on Rails v3.x anteriores a v3.1.0 y v2.3.x anteriores a v2.3.17 permite a atacantes remotos causar una denegación de servicio o ejecución de código arbitrario a través de atributos serializados manipulados que causan al asistente +serialize+ la de... • http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html •