CVSS: 5.3EPSS: 1%CPEs: 7EXPL: 0CVE-2016-0753 – rubygem-activerecord: possible input validation circumvention in Active Model
https://notcve.org/view.php?id=CVE-2016-0753
01 Feb 2016 — Active Model in Ruby on Rails 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 supports the use of instance-level writers for class accessors, which allows remote attackers to bypass intended validation steps via crafted parameters. Active Model en Ruby on Rails 4.1.x en versiones anteriores a 4.1.14.1, 4.2.x en versiones anteriores a 4.2.5.1 y 5.x en versiones anteriores a 5.0.0.beta1.1 soporta el uso de los escritores a nivel de instancia para descriptores de acceso de clase, lo q... • http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178041.html • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 1%CPEs: 86EXPL: 0CVE-2015-7576 – rubygem-actionpack: Timing attack vulnerability in basic authentication in Action Controller
https://notcve.org/view.php?id=CVE-2015-7576
01 Feb 2016 — The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences. El método http_basic_authenticate_with en actionpack/lib/a... • http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html • CWE-254: 7PK - Security Features CWE-385: Covert Timing Channel •
CVSS: 7.5EPSS: 97%CPEs: 52EXPL: 4CVE-2016-0752 – Ruby on Rails Directory Traversal Vulnerability
https://notcve.org/view.php?id=CVE-2016-0752
01 Feb 2016 — Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname. Vulnerabilidad de salto de directorio en Action View en Ruby on Rails en versiones anteriores a 3.2.22.1, 4.0.x y 4.1.x en versiones anteriores a 4.1.14.1, 4.2.x en versiones anteriore... • https://packetstorm.news/files/id/139143 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.5EPSS: 5%CPEs: 8EXPL: 1CVE-2015-1840
https://notcve.org/view.php?id=CVE-2015-1840
26 Jul 2015 — jquery_ujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 and rails.js in jquery-ujs before 1.0.4, as used with Ruby on Rails 3.x and 4.x, allow remote attackers to bypass the Same Origin Policy, and trigger transmission of a CSRF token to a different-domain web server, via a leading space character in a URL within an attribute value. Vulnerabilidad en jquery_ujs.js en jquery-rails en versiones anteriores a 3.1.3 y 4.x anteriores a la versión 4.0.4 y vulnerabilidad en rails.js en jquery-ujs en version... • http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160906.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 31EXPL: 0CVE-2015-3226 – Debian Security Advisory 3464-1
https://notcve.org/view.php?id=CVE-2015-3226
26 Jul 2015 — Cross-site scripting (XSS) vulnerability in json/encoding.rb in Active Support in Ruby on Rails 3.x and 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted Hash that is mishandled during JSON encoding. Vulnerabilidad XSS en json/encoding.rb en Active Support en Ruby on Rails en las versiones 3.x, 4.1.x anterior a 4.1.11 y 4.2 anterior a 4.2.2, permite a atacantes remotos inyectar código arbitrario HTML o web script a través de un Hash manip... • http://openwall.com/lists/oss-security/2015/06/16/17 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 2%CPEs: 13EXPL: 0CVE-2015-3227 – Debian Security Advisory 3464-1
https://notcve.org/view.php?id=CVE-2015-3227
26 Jul 2015 — The (1) jdom.rb and (2) rexml.rb components in Active Support in Ruby on Rails before 4.1.11 and 4.2.x before 4.2.2, when JDOM or REXML is enabled, allow remote attackers to cause a denial of service (SystemStackError) via a large XML document depth. Vulnerabilidad en los componentes (1) jdom.rb y (2) rexml.rb en Active Support en Ruby on Rails en versiones anteriores a 4.1.11 y 4.2.x anteriores a 4.2.2, cuando JDOM o REXML está activado, permite a atacantes remotos causar una denegación de servicio (System... • http://lists.opensuse.org/opensuse-updates/2015-07/msg00050.html •
CVSS: 4.3EPSS: 90%CPEs: 1EXPL: 4CVE-2015-3224 – Ruby on Rails 4.0.x/4.1.x/4.2.x (Web Console v2) - Whitelist Bypass Code Execution
https://notcve.org/view.php?id=CVE-2015-3224
26 Jul 2015 — request.rb in Web Console before 2.1.3, as used with Ruby on Rails 3.x and 4.x, does not properly restrict the use of X-Forwarded-For headers in determining a client's IP address, which allows remote attackers to bypass the whitelisted_ips protection mechanism via a crafted request. Vulnerabilidad en request.rb en Web Console en vesiones anteriores a 2.1.3, tal como se utiliza con Ruby on Rails en vesiones 3.x y 4.x, no restringe adecuadamente el uso de encabezados de X-Forwarded-For en la determinación de ... • https://www.exploit-db.com/exploits/41689 • CWE-284: Improper Access Control •
CVSS: 5.3EPSS: 0%CPEs: 141EXPL: 1CVE-2014-7829
https://notcve.org/view.php?id=CVE-2014-7829
18 Nov 2014 — Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.21, 4.0.x before 4.0.12, 4.1.x before 4.1.8, and 4.2.x before 4.2.0.beta4, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via vectors involving a \ (backslash) character, a similar issue to CVE-2014-7818. Una vulnerabilidad de salto de directorio en actionpack/lib/action_dispatch/middleware/stati... • http://lists.opensuse.org/opensuse-updates/2014-11/msg00112.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2014-3916
https://notcve.org/view.php?id=CVE-2014-3916
16 Nov 2014 — The str_buf_cat function in string.c in Ruby 1.9.3, 2.0.0, and 2.1 allows context-dependent attackers to cause a denial of service (segmentation fault and crash) via a long string. La función str_buf_cat en string.c en Ruby 1.9.3, 2.0.0, y 2.1 permite a atacantes dependientes del contexto, provocar una denegación de servicio (fallo de segmentación y caída) mediante una larga cadena de texto. • http://seclists.org/oss-sec/2014/q2/362 • CWE-19: Data Processing Errors •
CVSS: 4.3EPSS: 0%CPEs: 137EXPL: 0CVE-2014-7818
https://notcve.org/view.php?id=CVE-2014-7818
08 Nov 2014 — Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and 4.2.x before 4.2.0.beta3, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via a /..%2F sequence. Vulnerabilidad de salto de directorio en actionpack/lib/action_dispatch/middleware/static.rb en Action Pack en Ruby on Rails 3.x anterior a 3.2.20, 4.0.... • http://lists.opensuse.org/opensuse-updates/2014-11/msg00112.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •