CVSS: 9.8EPSS: 0%CPEs: 70EXPL: 2CVE-2012-2661 – rubygem-activerecord: SQL injection when processing nested query paramaters
https://notcve.org/view.php?id=CVE-2012-2661
22 Jun 2012 — The Active Record component in Ruby on Rails 3.0.x before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage unintended recursion, a related issue to CVE-2012-2695. El componente Active Record en Ruby on Rails v3.0.x antes de v3.0.13, v3.1.x antes de v3.1.5 y v3.2.x antes de 3.2.4 no implementan co... • https://github.com/r4x0r1337/-CVE-2012-2661-ActiveRecord-SQL-injection- • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 5%CPEs: 74EXPL: 1CVE-2012-2695 – rubygem-activerecord: SQL injection when processing nested query paramaters (a different flaw than CVE-2012-2661)
https://notcve.org/view.php?id=CVE-2012-2695
22 Jun 2012 — The Active Record component in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage improper handling of nested hashes, a related issue to CVE-2012-2661. El componente 'Active Record' en Ruby on Rails antes de la version v3.0.14, v3.1.x antes de v3.1.6 y v3.2.x antes de v3.2.6 no... • http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00002.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.3EPSS: 0%CPEs: 74EXPL: 1CVE-2012-2694 – rubygem-actionpack: Unsafe query generation (a different flaw than CVE-2012-2660)
https://notcve.org/view.php?id=CVE-2012-2694
22 Jun 2012 — actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain "['xyz', nil]" values, a related issue to CVE-2012-2660. actionpack/lib/action_dispatch/http/request.rb en Ruby on Rai... • http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00002.html • CWE-264: Permissions, Privileges, and Access Controls CWE-305: Authentication Bypass by Primary Weakness •
CVSS: 6.1EPSS: 0%CPEs: 61EXPL: 0CVE-2012-1099
https://notcve.org/view.php?id=CVE-2012-1099
13 Mar 2012 — Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_options_helper.rb in the select helper in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving certain generation of OPTION elements within SELECT elements. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en actionpack/lib/action_view/helpers/form_options_helper.rb en "select helper" de Ruby on Rail... • http://groups.google.com/group/rubyonrails-security/msg/6fca4f5c47705488?dmode=source&output=gplain • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 61EXPL: 0CVE-2012-1098
https://notcve.org/view.php?id=CVE-2012-1098
13 Mar 2012 — Cross-site scripting (XSS) vulnerability in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving a SafeBuffer object that is manipulated through certain methods. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en Ruby on Rails 3.0.x anteriores a 3.0.12, 3.1.x anteriores a 3.1.4, y 3.2.x anterioes a 3.2.2 permite a atacantes remotos inyectar codigo de script web o código HTML de su ... • http://groups.google.com/group/rubyonrails-security/msg/1c2e01a5e42722c9?dmode=source&output=gplain • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 91EXPL: 0CVE-2011-4319
https://notcve.org/view.php?id=CVE-2011-4319
28 Nov 2011 — Cross-site scripting (XSS) vulnerability in the i18n translations helper method in Ruby on Rails 3.0.x before 3.0.11 and 3.1.x before 3.1.2, and the rails_xss plugin in Ruby on Rails 2.3.x, allows remote attackers to inject arbitrary web script or HTML via vectors related to a translations string whose name ends with an "html" substring. Una vulnerabilidad de ejecución de comandos en sitios cruzados en el método de ayuda de las traducciones i18n en Ruby on Rails v3.0.x antes de v3.0.11 y v3.1.x antes de v3.... • http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b61d70fb73c7cc5?pli=1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 59EXPL: 0CVE-2011-2931 – Gentoo Linux Security Advisory 201412-28
https://notcve.org/view.php?id=CVE-2011-2931
29 Aug 2011 — Cross-site scripting (XSS) vulnerability in the strip_tags helper in actionpack/lib/action_controller/vendor/html-scanner/html/node.rb in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a tag with an invalid name. Vulnerabilidad de ejecución de secuencias comandos en sitios cruzados (XSS) en strip_tags de actionpack/lib/action_controller/vendor/html-scanner/html/node.rb en Ruby on Rails v2.x antes de v2.3.13, v3.... • http://groups.google.com/group/rubyonrails-security/msg/fd41ab62966e0fd1?dmode=source&output=gplain • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 41EXPL: 0CVE-2011-2929 – Gentoo Linux Security Advisory 201412-28
https://notcve.org/view.php?id=CVE-2011-2929
29 Aug 2011 — The template selection functionality in actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.10 and 3.1.x before 3.1.0.rc6 does not properly handle glob characters, which allows remote attackers to render arbitrary views via a crafted URL, related to a "filter skipping vulnerability." La funcionalidad de selección de plantilla en actionpack/lib/action_view/template/resolver.rb en Ruby sobre Rails 3.0.x anterior a v3.0.10 y v3.1.x anterior a v3.1.0.rc6 no maneja adecuadamente car... • http://groups.google.com/group/rubyonrails-security/msg/cbbbba6e4f7eaf61?dmode=source&output=gplain • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 0%CPEs: 7EXPL: 0CVE-2011-3186 – Gentoo Linux Security Advisory 201412-28
https://notcve.org/view.php?id=CVE-2011-3186
29 Aug 2011 — CRLF injection vulnerability in actionpack/lib/action_controller/response.rb in Ruby on Rails 2.3.x before 2.3.13 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the Content-Type header. Vulnerabilidad de falsificación de petición en sitios cruzados (CRLF) actionpack/lib/action_controller/response.rb en Ruby on Rails v2.3.x antes dev 2.3.13 permite a atacantes remotos inyectar cabeceras HTTP de su elección y llevar a cabo ataques HTTP de división de r... • http://groups.google.com/group/rubyonrails-security/msg/bbe342e43abaa78c?dmode=source&output=gplain • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.5EPSS: 0%CPEs: 59EXPL: 0CVE-2011-2930 – Gentoo Linux Security Advisory 201412-28
https://notcve.org/view.php?id=CVE-2011-2930
29 Aug 2011 — Multiple SQL injection vulnerabilities in the quote_table_name method in the ActiveRecord adapters in activerecord/lib/active_record/connection_adapters/ in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow remote attackers to execute arbitrary SQL commands via a crafted column name. Múltiples vulnerabilidades de inyección SQL en el método quote_table_name en el adaptador ActiveRecord de activerecord/lib/active_record/connection_adapters/ in Ruby on Rails antes de v2.3.13, v... • http://groups.google.com/group/rubyonrails-security/msg/b1a85d36b0f9dd30?dmode=source&output=gplain • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •