CVSS: 6.1EPSS: 0%CPEs: 108EXPL: 0CVE-2013-6415 – rubygem-actionpack: number_to_currency XSS
https://notcve.org/view.php?id=CVE-2013-6415
06 Dec 2013 — Cross-site scripting (XSS) vulnerability in the number_to_currency helper in actionpack/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the unit parameter. Vulnerabilidad Cross-site scripting (XSS) en number_to_currency en actionpack/lib/action_view/helpers/number_helper.rb en Ruby on Rails anterior a v3.2.16 y v4.x anterior a v4.0.2 permite a atacantes remotos inyectar script web o HTML arbitrari... • http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 108EXPL: 0CVE-2013-6417 – rubygem-actionpack: unsafe query generation risk (incomplete fix for CVE-2013- 0155)
https://notcve.org/view.php?id=CVE-2013-6417
06 Dec 2013 — actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware. NOTE: this vulnerability exists because of an incompl... • http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-264: Permissions, Privileges, and Access Controls •