CVE-2015-3224 – Ruby on Rails 4.0.x/4.1.x/4.2.x (Web Console v2) - Whitelist Bypass Code Execution

https://notcve.org/view.php?id=CVE-2015-3224

26 Jul 2015 — request.rb in Web Console before 2.1.3, as used with Ruby on Rails 3.x and 4.x, does not properly restrict the use of X-Forwarded-For headers in determining a client's IP address, which allows remote attackers to bypass the whitelisted_ips protection mechanism via a crafted request. Vulnerabilidad en request.rb en Web Console en vesiones anteriores a 2.1.3, tal como se utiliza con Ruby on Rails en vesiones 3.x y 4.x, no restringe adecuadamente el uso de encabezados de X-Forwarded-For en la determinación de ... • https://www.exploit-db.com/exploits/41689 • CWE-284: Improper Access Control •