CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2007-5379
https://notcve.org/view.php?id=CVE-2007-5379
19 Oct 2007 — Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers and ActiveResource servers to determine the existence of arbitrary files and read arbitrary XML files via the Hash.from_xml (Hash#from_xml) method, which uses XmlSimple (XML::Simple) unsafely, as demonstrated by reading passwords from the Pidgin (Gaim) .purple/accounts.xml file. El Rails anterior al 1.2.4, como el utilizado en el "Ruby on Rails", permite a atacantes remotos y a los servidores ActiveResource determinar la existencia de fi... • http://bugs.gentoo.org/show_bug.cgi?id=195315 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 2%CPEs: 33EXPL: 0CVE-2006-4111
https://notcve.org/view.php?id=CVE-2006-4111
14 Aug 2006 — Ruby on Rails before 1.1.5 allows remote attackers to execute Ruby code with "severe" or "serious" impact via a File Upload request with an HTTP header that modifies the LOAD_PATH variable, a different vulnerability than CVE-2006-4112. Ruby on Rails anterior a 1.1.5 permite a un atacante remoto ejecutar código Ruby con un impacto "severo" o "serio" a través de una respuesta File Upload con una cabecera HTTP que modifica la variable LOAD_PATH, una vulnerabilidad diferente que CVE-2006-4112. • http://blog.koehntopp.de/archives/1367-Ruby-On-Rails-Mandatory-Mystery-Patch.html • CWE-94: Improper Control of Generation of Code ('Code Injection') •