CVE-2016-6316 – rubygem-actionview: cross-site scripting flaw in Action View
https://notcve.org/view.php?id=CVE-2016-6316
Cross-site scripting (XSS) vulnerability in Action View in Ruby on Rails 3.x before 3.2.22.3, 4.x before 4.2.7.1, and 5.x before 5.0.0.1 might allow remote attackers to inject arbitrary web script or HTML via text declared as "HTML safe" and used as attribute values in tag handlers. Vulnerabilidad de XSS en Action View en Ruby en Rails 3.x en versiones anteriores a 3.2.22.3, 4.x en versiones anteriores a 4.2.7.1 y 5.x en versiones anteriores a 5.0.0.1 podría permitir a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de texto declarado como "HTML safe" y utilizado como valores de atributos en los manejadores de etiquetas. It was discovered that Action View tag helpers did not escape quotes when using strings declared as HTML safe as attribute values. A remote attacker could use this flaw to conduct a cross-site scripting (XSS) attack. • http://rhn.redhat.com/errata/RHSA-2016-1855.html http://rhn.redhat.com/errata/RHSA-2016-1856.html http://rhn.redhat.com/errata/RHSA-2016-1857.html http://rhn.redhat.com/errata/RHSA-2016-1858.html http://weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-been-released http://www.debian.org/security/2016/dsa-3651 http://www.openwall.com/lists/oss-security/2016/08/11/3 http://www.securityfocus.com/bid/92430 https://group • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2016-6317 – rubygem-activerecord: unsafe query generation in Active Record
https://notcve.org/view.php?id=CVE-2016-6317
Action Record in Ruby on Rails 4.2.x before 4.2.7.1 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660, CVE-2012-2694, and CVE-2013-0155. Action Record en Ruby en Rails 4.2.x en versiones anteriores a 4.2.7.1 no considera adecuadamente las diferencias en en el manejo de parámetros entre el componente Active Record y la implementación de JSON, lo que permite a atacantes remotos eludir restricciones destinadas a la consulta de base de datos y realizar comprobaciones NULL o desencadenar clausulas perdidas WHERE a través de un solicitud manipulada, como se demuestra por ciertos valores "[nil]", un problema relacionado con CVE-2012-2660, CVE-2012-2694 y CVE-2013-0155. A flaw was found in the way Active Record handled certain special values in dynamic finders and relations. If a Ruby on Rails application performed JSON parameter parsing, a remote attacker could possibly manipulate search conditions in SQL queries generated by the application. • http://rhn.redhat.com/errata/RHSA-2016-1855.html http://weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-been-released http://www.openwall.com/lists/oss-security/2016/08/11/4 http://www.securityfocus.com/bid/92434 https://groups.google.com/forum/#%21topic/ruby-security-ann/WccgKSKiPZA https://access.redhat.com/security/cve/CVE-2016-6317 https://bugzilla.redhat.com/show_bug.cgi?id=1365017 • CWE-20: Improper Input Validation CWE-284: Improper Access Control CWE-476: NULL Pointer Dereference •
CVE-2016-2097 – rubygem-actionpack: directory traversal in Action View, incomplete CVE-2016-0752 fix
https://notcve.org/view.php?id=CVE-2016-2097
Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.2 and 4.x before 4.1.14.2 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0752. Vulnerabilidad de salto directorio en Action View en Ruby on Rails en versiones anteriores a 3.2.22.2 y 4.x en versiones anteriores a 4.1.14.2 permite a atacantes remotos leer archivos arbitrarios aprovechando el uso no restringido del método render de una aplicación y proporcionando un .. (punto punto) en un nombre de ruta. • http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released http://www.debian.org/security/2016/dsa-3509 http://www.securityfocus.com/bid/83726 http://www.securitytracker.com/id/1035122 https://groups.google.com/forum/ • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2016-2098 – Ruby on Rails ActionPack Inline ERB - Code Execution
https://notcve.org/view.php?id=CVE-2016-2098
Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method. Action Pack en Ruby on Rails en versiones anteriores a 3.2.22.2, 4.x en versiones anteriores a 4.1.14.2 y 4.2.x en versiones anteriores a 4.2.5.2 permite a atacantes remotos ejecutar código Ruby arbitrario aprovechando el uso no restringido del método render de una aplicación. A code injection flaw was found in the way Action View component searched for templates for rendering. If an application passed untrusted input to the 'render' method, a remote, unauthenticated attacker could use this flaw to execute arbitrary code. • https://www.exploit-db.com/exploits/40086 https://github.com/0x00-0x00/CVE-2016-2098 https://github.com/its-arun/CVE-2016-2098 https://github.com/Shakun8/CVE-2016-2098 https://github.com/j4k0m/CVE-2016-2098 https://github.com/Debalinax64/CVE-2016-2098 https://github.com/Alejandro-MartinG/rails-PoC-CVE-2016-2098 https://github.com/3rg1s/CVE-2016-2098 https://github.com/DanielHemmati/CVE-2016-2098-my-first-exploit http://lists.opensuse.org/opensuse-security-announce/ • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2015-7578
https://notcve.org/view.php?id=CVE-2015-7578
Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via crafted tag attributes. Vulnerabilidad de XSS en la gema rails-html-sanitizer en versiones anteriores a 1.0.3 para Ruby on Rails 4.2.x y 5.x permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de atributos de etiqueta manipulados. • http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html http://www.openwall.com/lists/oss-security/2016/01/25/11 http://www.securitytracker.com/id/1034816 https://git • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •