Page 8 of 45 results (0.008 seconds)

CVSS: 7.5EPSS: 6%CPEs: 74EXPL: 1

CVE-2012-2695 – rubygem-activerecord: SQL injection when processing nested query paramaters (a different flaw than CVE-2012-2661)

https://notcve.org/view.php?id=CVE-2012-2695

The Active Record component in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage improper handling of nested hashes, a related issue to CVE-2012-2661. El componente 'Active Record' en Ruby on Rails antes de la version v3.0.14, v3.1.x antes de v3.1.6 y v3.2.x antes de v3.2.6 no implementa correctamente el paso de los datos de la solicitud a un método 'where' en la clase ActiveRecord, lo que permite llevar a cabo determinados ataques de inyección SQL a atacantes remotos a través de los parámetros de consulta anidadas que aprovechan una indebida manipulación de los hashes anidados. Es un problema relacionado con el CVE-2012-2661. • http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00002.html http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html http://rhn.redhat.com/errata/RHSA-2013-0154.html https://groups.google.com/group/rubyonrails-security/msg/aee3413fb038bf56?dmode=source&output=gplain https://access.redhat.com/security/cve/CVE-2012-2695 https:/ • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 4.3EPSS: 0%CPEs: 61EXPL: 0

CVE-2012-1098

https://notcve.org/view.php?id=CVE-2012-1098

Cross-site scripting (XSS) vulnerability in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving a SafeBuffer object that is manipulated through certain methods. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en Ruby on Rails 3.0.x anteriores a 3.0.12, 3.1.x anteriores a 3.1.4, y 3.2.x anterioes a 3.2.2 permite a atacantes remotos inyectar codigo de script web o código HTML de su elección a través de vectores que involucran un objeto SafeBuffer que es manipulado a través de determinados métodos. • http://groups.google.com/group/rubyonrails-security/msg/1c2e01a5e42722c9?dmode=source&output=gplain http://lists.fedoraproject.org/pipermail/package-announce/2012-March/075675.html http://weblog.rubyonrails.org/2012/3/1/ann-rails-3-0-12-has-been-released http://www.openwall.com/lists/oss-security/2012/03/02/6 http://www.openwall.com/lists/oss-security/2012/03/03/1 https://bugzilla.redhat.com/show_bug.cgi?id=799275 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.3EPSS: 0%CPEs: 61EXPL: 0

CVE-2012-1099

https://notcve.org/view.php?id=CVE-2012-1099

Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_options_helper.rb in the select helper in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving certain generation of OPTION elements within SELECT elements. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en actionpack/lib/action_view/helpers/form_options_helper.rb en "select helper" de Ruby on Rails 3.0.x anteriores a 3.0.12, 3.1.x anteriores a 3.1.4, y 3.2.x anteriores a 3.2.2 permite a atacantes remotos inyectar codigo de script web o código HTML de su elección a través de vectores que involucran la generación de elementos OPTION dentro de elementos SELECT. • http://groups.google.com/group/rubyonrails-security/msg/6fca4f5c47705488?dmode=source&output=gplain http://lists.fedoraproject.org/pipermail/package-announce/2012-March/075675.html http://lists.fedoraproject.org/pipermail/package-announce/2012-March/075740.html http://weblog.rubyonrails.org/2012/3/1/ann-rails-3-0-12-has-been-released http://www.debian.org/security/2012/dsa-2466 http://www.openwall.com/lists/oss-security/2012/03/02/6 http://www.openwall.com/lists/oss-security/2012/03/ • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.3EPSS: 0%CPEs: 91EXPL: 0

CVE-2011-4319

https://notcve.org/view.php?id=CVE-2011-4319

Cross-site scripting (XSS) vulnerability in the i18n translations helper method in Ruby on Rails 3.0.x before 3.0.11 and 3.1.x before 3.1.2, and the rails_xss plugin in Ruby on Rails 2.3.x, allows remote attackers to inject arbitrary web script or HTML via vectors related to a translations string whose name ends with an "html" substring. Una vulnerabilidad de ejecución de comandos en sitios cruzados en el método de ayuda de las traducciones i18n en Ruby on Rails v3.0.x antes de v3.0.11 y v3.1.x antes de v3.1.2 y el complemento rails_xss en Ruby on Rails v2.3.x, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de vectores relacionados con una cadena de traducciones cuyo nombre termina con la subcadena "html". • http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b61d70fb73c7cc5?pli=1 http://groups.google.com/group/rubyonrails-security/msg/c65c24fbc4b6dd82?dmode=source&output=gplain http://openwall.com/lists/oss-security/2011/11/18/8 http://osvdb.org/77199 http://weblog.rubyonrails.org/2011/11/18/rails-3-0-11-has-been-released http://weblog.rubyonrails.org/2011/11/18/rails-3-1-2-has-been-released http://www.securityfocus.com/bid/50722 http://www.securitytracker.com&#x • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.0EPSS: 0%CPEs: 41EXPL: 0

CVE-2011-2929

https://notcve.org/view.php?id=CVE-2011-2929

The template selection functionality in actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.10 and 3.1.x before 3.1.0.rc6 does not properly handle glob characters, which allows remote attackers to render arbitrary views via a crafted URL, related to a "filter skipping vulnerability." La funcionalidad de selección de plantilla en actionpack/lib/action_view/template/resolver.rb en Ruby sobre Rails 3.0.x anterior a v3.0.10 y v3.1.x anterior a v3.1.0.rc6 no maneja adecuadamente caracteres glob, lo que permite a atacantes remotos renderizar vistas de su elección a través de una URL manipulada, relacionada con una vulnerabilidad "filter skipping". • http://groups.google.com/group/rubyonrails-security/msg/cbbbba6e4f7eaf61?dmode=source&output=gplain http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065109.html http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6 http://www.openwall.com/lists/oss-security/2011/08/17/1 http://www.openwall.com/lists/oss-security/2011/08/19/11 http://www.openwall.com/lists/oss-security/2011& • CWE-20: Improper Input Validation •