CVSS: 4.3EPSS: 0%CPEs: 47EXPL: 0CVE-2011-2197
https://notcve.org/view.php?id=CVE-2011-2197
30 Jun 2011 — The cross-site scripting (XSS) prevention feature in Ruby on Rails 2.x before 2.3.12, 3.0.x before 3.0.8, and 3.1.x before 3.1.0.rc2 does not properly handle mutation of safe buffers, which makes it easier for remote attackers to conduct XSS attacks via crafted strings to an application that uses a problematic string method, as demonstrated by the sub method. La característica de prevención de secuencias de comandos en sitios cruzados (XSS) de Ruby en Rails v2.x anterior a v2.3.12, v3.0.x anterior a v3.0.8,... • http://groups.google.com/group/rubyonrails-security/msg/663b600d4471e0d4?dmode=source&output=gplain • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 13EXPL: 0CVE-2011-0449 – Gentoo Linux Security Advisory 201412-28
https://notcve.org/view.php?id=CVE-2011-0449
21 Feb 2011 — actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.4, when a case-insensitive filesystem is used, does not properly implement filters associated with the list of available templates, which allows remote attackers to bypass intended access restrictions via an action name that uses an unintended case for alphabetic characters. actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x anteriores a v3.0.4, cuando un sistema de ficheros sensible a mayúsculas y minúscul... • http://groups.google.com/group/rubyonrails-security/msg/04345b2e84df5b4f?dmode=source&output=gplain • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 0%CPEs: 13EXPL: 0CVE-2011-0448 – Gentoo Linux Security Advisory 201412-28
https://notcve.org/view.php?id=CVE-2011-0448
21 Feb 2011 — Ruby on Rails 3.0.x before 3.0.4 does not ensure that arguments to the limit function specify integer values, which makes it easier for remote attackers to conduct SQL injection attacks via a non-numeric argument. Ruby on Rails v3.0.x anteriores a v3.0.4 no garantiza que los argumentos de la función de especificar los valores límite de número entero, lo que facilita a los atacantes remotos para realizar ataques de inyección SQL a través de un argumento no numérico. Multiple vulnerabilities were found in Rub... • http://groups.google.com/group/rubyonrails-security/msg/4e19864cf6ad40ad?dmode=source&output=gplain • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.3EPSS: 0%CPEs: 30EXPL: 0CVE-2011-0446 – Gentoo Linux Security Advisory 201412-28
https://notcve.org/view.php?id=CVE-2011-0446
14 Feb 2011 — Multiple cross-site scripting (XSS) vulnerabilities in the mail_to helper in Ruby on Rails before 2.3.11, and 3.x before 3.0.4, when javascript encoding is used, allow remote attackers to inject arbitrary web script or HTML via a crafted (1) name or (2) email value. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en la ayuda mail_to en Ruby on Rails en versiones anteriores a v2.3.11, y v3.x anterior a v3.0.4, cuando se usa la codificación Javascript permite a atacantes remotos... • http://groups.google.com/group/rubyonrails-security/msg/365b8a23b76a6b4a?dmode=source&output=gplain • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 1%CPEs: 24EXPL: 0CVE-2011-0447 – Gentoo Linux Security Advisory 201412-28
https://notcve.org/view.php?id=CVE-2011-0447
14 Feb 2011 — Ruby on Rails 2.1.x, 2.2.x, and 2.3.x before 2.3.11, and 3.x before 3.0.4, does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged (1) AJAX or (2) API requests that leverage "combinations of browser plugins and HTTP redirects," a related issue to CVE-2011-0696. Ruby on Rails v2.1.x, v2.2.x, and v2.3.x anteriores a v2.3.11,y v3.x anteriores a v3.0.4 no valida correctamente las ... • http://groups.google.com/group/rubyonrails-security/msg/c22ea1668c0d181c?dmode=source&output=gplain • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2010-3933 – Gentoo Linux Security Advisory 201412-28
https://notcve.org/view.php?id=CVE-2010-3933
27 Oct 2010 — Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs. Ruby on Rails v2.3.9 y v3.0.0 no controla correctamente los atributos anidados, lo cual permite a atacantes remotos modificar registros a su elección, cambiando los nombres de los parámetros por formularios de entrada. Multiple vulnerabilities were found in Ruby on Rails, the worst of which allowing for execution of arbitrary... • http://secunia.com/advisories/41930 • CWE-20: Improper Input Validation •
CVSS: 6.8EPSS: 4%CPEs: 139EXPL: 0CVE-2007-6077
https://notcve.org/view.php?id=CVE-2007-6077
21 Nov 2007 — The session fixation protection mechanism in cgi_process.rb in Rails 1.2.4, as used in Ruby on Rails, removes the :cookie_only attribute from the DEFAULT_SESSION_OPTIONS constant, which effectively causes cookie_only to be applied only to the first instantiation of CgiRequest, which allows remote attackers to conduct session fixation attacks. NOTE: this is due to an incomplete fix for CVE-2007-5380. El mecanismo de protección de fijación de sesión en el archivo cgi_process.rb en Rails versión 1.2.4, como es... • http://dev.rubyonrails.org/changeset/8177 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •