Page 9 of 52 results (0.006 seconds)

CVSS: 7.5EPSS: 0%CPEs: 84EXPL: 1

SQL injection vulnerability in the Active Record component in Ruby on Rails before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behavior of dynamic finders in applications that can use unexpected data types in certain find_by_ method calls. Vulnerabilidad de inyección SQL en el componente Active Record en Ruby on Rails antes de v3.0.18, v3.1.x antes de v3.1.9, y v3.2.x antes de v3.2.10, permite a atacantes remotos ejecutar comandos SQL a través de una solicitud modificada que aprovecha el comportamiento incorrecto de buscadores dinámicos en aplicaciones que pueden utilizar los tipos de datos inesperados en ciertas llamadas al método find_by_. • http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts http://rhn.redhat.com/errata/RHSA-2013-0154.html http://rhn.redhat.com/errata/RHSA-2013-0155.html http://rhn.redhat.com/errata/RHSA-2013-0220.html http://rhn.redhat.com/errata/RHSA-2013-0544.html http://security.gentoo.org/glsa/glsa-201401-22.xml http://www.securityfocus.com/bid/57084 https://bugzilla.redhat.com/show_bug.cgi?id=889649 https://groups.google.com&#x • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 4.3EPSS: 0%CPEs: 80EXPL: 0

Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_tag_helper.rb in Ruby on Rails 3.x before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via the prompt field to the select_tag helper. Vulnerabilidad de ejecución de comandos en sitios cruzados (XSS) en actionpack/lib/action_view/helpers/form_tag_helper.rb en Ruby on Rails v3.x anterior a v3.0.17, v3.1.x anterior a v3.1.8, y v3.2.x anterior a v3.2.8 permite la administración remota los atacantes para inyectar secuencias de comandos web o HTML a través del campo del sistema para el (helper) select_tag. • http://rhn.redhat.com/errata/RHSA-2013-0154.html http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released https://groups.google.com/group/rubyonrails-security/msg/961e18e514527078?dmode=source&output=gplain https://access.redhat.com/security/cve/CVE-2012-3463 https://bugzilla.redhat.com/show_bug.cgi?id=847196 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.3EPSS: 0%CPEs: 142EXPL: 0

Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/sanitize_helper.rb in the strip_tags helper in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via malformed HTML markup. Cross-site scripting (XSS) en actionpack/lib/action_view/helpers/sanitize_helper.rb en el (helper) strip_tags en Ruby on Rails anterior a v3.0.17, v3.1.x anterior a v3.1.8, y v3.2.x anterio a v3.2.8 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de código HTML con formato incorrecto. • http://rhn.redhat.com/errata/RHSA-2013-0154.html http://secunia.com/advisories/50694 http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released https://groups.google.com/group/rubyonrails-security/msg/7fbb5392d4d282b5?dmode=source&output=gplain https://access.redhat.com/security/cve/CVE-2012-3465 https://bugzilla.redhat.com/show_bug.cgi?id=847200 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.3EPSS: 0%CPEs: 142EXPL: 0

Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 might allow remote attackers to inject arbitrary web script or HTML via vectors involving a ' (quote) character. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en activesupport/lib/active_support/core_ext/string/output_safety.rb en Ruby on Rails anteriores a v3.0.17, v3.1.x anteriores a v3.1.8, y 3.2.x anteriores a v3.2.8, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de vectores que implican el caracter ' (comilla). • http://rhn.redhat.com/errata/RHSA-2013-0154.html http://secunia.com/advisories/50694 http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released https://groups.google.com/group/rubyonrails-security/msg/8f1bbe1cef8c6caf?dmode=source&output=gplain https://access.redhat.com/security/cve/CVE-2012-3464 https://bugzilla.redhat.com/show_bug.cgi?id=847199 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.0EPSS: 0%CPEs: 77EXPL: 0

The decode_credentials method in actionpack/lib/action_controller/metal/http_authentication.rb in Ruby on Rails 3.x before 3.0.16, 3.1.x before 3.1.7, and 3.2.x before 3.2.7 converts Digest Authentication strings to symbols, which allows remote attackers to cause a denial of service by leveraging access to an application that uses a with_http_digest helper method, as demonstrated by the authenticate_or_request_with_http_digest method. El método decode_credentials method en actionpack/lib/action_controller/metal/http_authentication.rb en Ruby on Rails 3.x anterior a 3.0.16, 3.1.x anterior a 3.1.7, y 3.2.x anterior a 3.2.7 convierte las cadenas Digest Authentication a símbolos, lo que permite a atacantes remotos provocar una denegación de servicio aprovechando el acceso a una aplicación que se utiliza un método de ayuda with_http_digest, como se demostró con el método authenticate_or_request_with_http_digest. • http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html http://rhn.redhat.com/errata/RHSA-2013-0154.html http://weblog.rubyonrails.org/2012/7/26/ann-rails-3-2-7-has-been-released https://groups.google.com/group/rubyonrails-security/msg/244d32f2fa25147d?hl=en&dmode=source&output=gplain https://access.redhat.com/security/cve/CVE-2012-3424 https://bugzilla.redhat.com/show_bug.cgi?id=843711 • CWE-287: Improper Authentication •