CVE-2012-3464 – rubygem-actionpack: potential XSS vulnerability
https://notcve.org/view.php?id=CVE-2012-3464
Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 might allow remote attackers to inject arbitrary web script or HTML via vectors involving a ' (quote) character. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en activesupport/lib/active_support/core_ext/string/output_safety.rb en Ruby on Rails anteriores a v3.0.17, v3.1.x anteriores a v3.1.8, y 3.2.x anteriores a v3.2.8, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de vectores que implican el caracter ' (comilla). • http://rhn.redhat.com/errata/RHSA-2013-0154.html http://secunia.com/advisories/50694 http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released https://groups.google.com/group/rubyonrails-security/msg/8f1bbe1cef8c6caf?dmode=source&output=gplain https://access.redhat.com/security/cve/CVE-2012-3464 https://bugzilla.redhat.com/show_bug.cgi?id=847199 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2011-4319
https://notcve.org/view.php?id=CVE-2011-4319
Cross-site scripting (XSS) vulnerability in the i18n translations helper method in Ruby on Rails 3.0.x before 3.0.11 and 3.1.x before 3.1.2, and the rails_xss plugin in Ruby on Rails 2.3.x, allows remote attackers to inject arbitrary web script or HTML via vectors related to a translations string whose name ends with an "html" substring. Una vulnerabilidad de ejecución de comandos en sitios cruzados en el método de ayuda de las traducciones i18n en Ruby on Rails v3.0.x antes de v3.0.11 y v3.1.x antes de v3.1.2 y el complemento rails_xss en Ruby on Rails v2.3.x, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de vectores relacionados con una cadena de traducciones cuyo nombre termina con la subcadena "html". • http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b61d70fb73c7cc5?pli=1 http://groups.google.com/group/rubyonrails-security/msg/c65c24fbc4b6dd82?dmode=source&output=gplain http://openwall.com/lists/oss-security/2011/11/18/8 http://osvdb.org/77199 http://weblog.rubyonrails.org/2011/11/18/rails-3-0-11-has-been-released http://weblog.rubyonrails.org/2011/11/18/rails-3-1-2-has-been-released http://www.securityfocus.com/bid/50722 http://www.securitytracker.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2011-2930
https://notcve.org/view.php?id=CVE-2011-2930
Multiple SQL injection vulnerabilities in the quote_table_name method in the ActiveRecord adapters in activerecord/lib/active_record/connection_adapters/ in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow remote attackers to execute arbitrary SQL commands via a crafted column name. Múltiples vulnerabilidades de inyección SQL en el método quote_table_name en el adaptador ActiveRecord de activerecord/lib/active_record/connection_adapters/ in Ruby on Rails antes de v2.3.13, v3.0.x antes de v3.0.10, y v3.1.x antes de v3.1.0.rc5, permite a atacantes remotos ejecutar comandos SQL de su elección a través de un nombre de columna modificado. • http://groups.google.com/group/rubyonrails-security/msg/b1a85d36b0f9dd30?dmode=source&output=gplain http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6 http://www.debian.org/security/2011/dsa-2301 http://www.openwall.com/lists/oss-security/2011/08/17/1 http://www.openwall.com/lists/oss-security/2011/08/19/11 http://www.openwall.com/lists/oss-security/2011/08/20/1 http://www • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2011-2932
https://notcve.org/view.php?id=CVE-2011-2932
Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails 2.x before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a malformed Unicode string, related to a "UTF-8 escaping vulnerability." Vulnerabilidad de ejecución de secuencias comandos en sitios cruzados (XSS) en activesupport/lib/active_support/core_ext/string/output_safety.rb en Ruby on Rails v2.x antes de v2.3.13, v3.0.x antes de v3.0.10, y v3.1.x antes de v3.1.0.rc5 permite a atacantes remotos ejecutar secuencias de comandos web o HTML a través de cadenas Unicode malformadas, relacionado con una "vulnerabilidad de escapado UTF-8" • http://groups.google.com/group/rubyonrails-security/msg/f1d2749773db9f21?dmode=source&output=gplain http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065114.html http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065189.html http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html http://secunia.com/advisories/45917 http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6 http://www.openwall.com/lists/oss-security/2011/08/17/1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2011-2931
https://notcve.org/view.php?id=CVE-2011-2931
Cross-site scripting (XSS) vulnerability in the strip_tags helper in actionpack/lib/action_controller/vendor/html-scanner/html/node.rb in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a tag with an invalid name. Vulnerabilidad de ejecución de secuencias comandos en sitios cruzados (XSS) en strip_tags de actionpack/lib/action_controller/vendor/html-scanner/html/node.rb en Ruby on Rails v2.x antes de v2.3.13, v3.0.x antes de v3.0.10, y v3.1.x antes de v3.1.0.rc5 permite a atacantes remotos ejecutar secuencias de comandos web o HTML a través una etiqueta con un nombre no válido. • http://groups.google.com/group/rubyonrails-security/msg/fd41ab62966e0fd1?dmode=source&output=gplain http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065109.html http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065137.html http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html http://secunia.com/advisories/45921 http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6 http://www.debian.org/security/2011/dsa-2301 http:// • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •