CVSS: 4.3EPSS: 1%CPEs: 1EXPL: 4CVE-2011-3187 – Ruby on Rails 3.0.5 - 'WEBrick::HTTPRequest' Module HTTP Header Injection
https://notcve.org/view.php?id=CVE-2011-3187
29 Aug 2011 — The to_s method in actionpack/lib/action_dispatch/middleware/remote_ip.rb in Ruby on Rails 3.0.5 does not validate the X-Forwarded-For header in requests from IP addresses on a Class C network, which might allow remote attackers to inject arbitrary text into log files or bypass intended address parsing via a crafted header. El método to_s en actionpack/lib/action_dispatch/middleware/remote_ip.rb en Ruby on Rails v3.0.5 no valida la cabecera X-Forwarded-For de las peticiones de direcciones IP en una red de C... • https://www.exploit-db.com/exploits/35352 • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 0%CPEs: 59EXPL: 0CVE-2011-2932 – Gentoo Linux Security Advisory 201412-28
https://notcve.org/view.php?id=CVE-2011-2932
29 Aug 2011 — Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails 2.x before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a malformed Unicode string, related to a "UTF-8 escaping vulnerability." Vulnerabilidad de ejecución de secuencias comandos en sitios cruzados (XSS) en activesupport/lib/active_support/core_ext/string/output_safety.rb en Ruby on Rails v2.x antes de v2... • http://groups.google.com/group/rubyonrails-security/msg/f1d2749773db9f21?dmode=source&output=gplain • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 47EXPL: 0CVE-2011-2197
https://notcve.org/view.php?id=CVE-2011-2197
30 Jun 2011 — The cross-site scripting (XSS) prevention feature in Ruby on Rails 2.x before 2.3.12, 3.0.x before 3.0.8, and 3.1.x before 3.1.0.rc2 does not properly handle mutation of safe buffers, which makes it easier for remote attackers to conduct XSS attacks via crafted strings to an application that uses a problematic string method, as demonstrated by the sub method. La característica de prevención de secuencias de comandos en sitios cruzados (XSS) de Ruby en Rails v2.x anterior a v2.3.12, v3.0.x anterior a v3.0.8,... • http://groups.google.com/group/rubyonrails-security/msg/663b600d4471e0d4?dmode=source&output=gplain • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 1%CPEs: 13EXPL: 0CVE-2011-0449 – Gentoo Linux Security Advisory 201412-28
https://notcve.org/view.php?id=CVE-2011-0449
21 Feb 2011 — actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.4, when a case-insensitive filesystem is used, does not properly implement filters associated with the list of available templates, which allows remote attackers to bypass intended access restrictions via an action name that uses an unintended case for alphabetic characters. actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x anteriores a v3.0.4, cuando un sistema de ficheros sensible a mayúsculas y minúscul... • http://groups.google.com/group/rubyonrails-security/msg/04345b2e84df5b4f?dmode=source&output=gplain • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 0%CPEs: 13EXPL: 0CVE-2011-0448 – Gentoo Linux Security Advisory 201412-28
https://notcve.org/view.php?id=CVE-2011-0448
21 Feb 2011 — Ruby on Rails 3.0.x before 3.0.4 does not ensure that arguments to the limit function specify integer values, which makes it easier for remote attackers to conduct SQL injection attacks via a non-numeric argument. Ruby on Rails v3.0.x anteriores a v3.0.4 no garantiza que los argumentos de la función de especificar los valores límite de número entero, lo que facilita a los atacantes remotos para realizar ataques de inyección SQL a través de un argumento no numérico. Multiple vulnerabilities were found in Rub... • http://groups.google.com/group/rubyonrails-security/msg/4e19864cf6ad40ad?dmode=source&output=gplain • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.3EPSS: 0%CPEs: 30EXPL: 0CVE-2011-0446 – Gentoo Linux Security Advisory 201412-28
https://notcve.org/view.php?id=CVE-2011-0446
14 Feb 2011 — Multiple cross-site scripting (XSS) vulnerabilities in the mail_to helper in Ruby on Rails before 2.3.11, and 3.x before 3.0.4, when javascript encoding is used, allow remote attackers to inject arbitrary web script or HTML via a crafted (1) name or (2) email value. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en la ayuda mail_to en Ruby on Rails en versiones anteriores a v2.3.11, y v3.x anterior a v3.0.4, cuando se usa la codificación Javascript permite a atacantes remotos... • http://groups.google.com/group/rubyonrails-security/msg/365b8a23b76a6b4a?dmode=source&output=gplain • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 24EXPL: 0CVE-2011-0447 – Gentoo Linux Security Advisory 201412-28
https://notcve.org/view.php?id=CVE-2011-0447
14 Feb 2011 — Ruby on Rails 2.1.x, 2.2.x, and 2.3.x before 2.3.11, and 3.x before 3.0.4, does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged (1) AJAX or (2) API requests that leverage "combinations of browser plugins and HTTP redirects," a related issue to CVE-2011-0696. Ruby on Rails v2.1.x, v2.2.x, and v2.3.x anteriores a v2.3.11,y v3.x anteriores a v3.0.4 no valida correctamente las ... • http://groups.google.com/group/rubyonrails-security/msg/c22ea1668c0d181c?dmode=source&output=gplain • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2010-3933 – Gentoo Linux Security Advisory 201412-28
https://notcve.org/view.php?id=CVE-2010-3933
27 Oct 2010 — Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs. Ruby on Rails v2.3.9 y v3.0.0 no controla correctamente los atributos anidados, lo cual permite a atacantes remotos modificar registros a su elección, cambiando los nombres de los parámetros por formularios de entrada. Multiple vulnerabilities were found in Ruby on Rails, the worst of which allowing for execution of arbitrary... • http://secunia.com/advisories/41930 • CWE-20: Improper Input Validation •
CVSS: 6.8EPSS: 19%CPEs: 5EXPL: 2CVE-2008-7248 – Ruby on Rails 2.3.5 - 'protect_from_forgery' Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2008-7248
16 Dec 2009 — Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify tokens for requests with certain content types, which allows remote attackers to bypass cross-site request forgery (CSRF) protection for requests to applications that rely on this protection, as demonstrated using text/plain. Ruby on Rails v2.1 anteriores a v2.1.3 y v2.2.x anteriores a v2.2.2 no verifica los token en peticiones con ciertos tipos de contenido, lo que permite a atacantes remotos evitar la protección contra la falsificación ... • https://www.exploit-db.com/exploits/33402 • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 0%CPEs: 55EXPL: 0CVE-2009-4214
https://notcve.org/view.php?id=CVE-2009-4214
07 Dec 2009 — Cross-site scripting (XSS) vulnerability in the strip_tags function in Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote attackers to inject arbitrary web script or HTML via vectors involving non-printing ASCII characters, related to HTML::Tokenizer and actionpack/lib/action_controller/vendor/html-scanner/html/node.rb. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en Ruby on Rails anterior v2.2.s, y v2.3.x anterior v2.3.5, permite a atacantes remotos inyectar código Web o... • http://github.com/rails/rails/commit/bfe032858077bb2946abe25e95e485ba6da86bd5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •