Rubyonrails

Rails

111 vulnerabilities found.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
6.4

CVE-2010-3933

  • EPSS 0.71%
  • Published 28.10.2010 00:00:05
  • Last modified 11.04.2025 00:51:21

Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs.

6.8

CVE-2008-7248

Exploit
  • EPSS 11.41%
  • Published 16.12.2009 01:30:00
  • Last modified 09.04.2025 00:30:58

Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify tokens for requests with certain content types, which allows remote attackers to bypass cross-site request forgery (CSRF) protection for requests to applications that rely on this ...

4.3

CVE-2009-4214

  • EPSS 1.63%
  • Published 07.12.2009 17:30:00
  • Last modified 09.04.2025 00:30:58

Cross-site scripting (XSS) vulnerability in the strip_tags function in Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote attackers to inject arbitrary web script or HTML via vectors involving non-printing ASCII characters, related to ...

4.3

CVE-2009-3009

  • EPSS 1.63%
  • Published 08.09.2009 18:30:00
  • Last modified 09.04.2025 00:30:58

Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings into a form helper.

5

CVE-2009-3086

  • EPSS 0.56%
  • Published 08.09.2009 18:30:00
  • Last modified 09.04.2025 00:30:58

A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x before 2.3.4, leaks information about the complexity of message-digest signature verification in the cookie store, which might allow remote attackers to forge a digest via multiple a...

5

CVE-2008-5189

  • EPSS 0.19%
  • Published 21.11.2008 12:00:00
  • Last modified 09.04.2025 00:30:58

CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL to the redirect_to function.

7.5

CVE-2008-4094

Exploit
  • EPSS 2.9%
  • Published 30.09.2008 17:22:09
  • Last modified 09.04.2025 00:30:58

Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and Actio...

6.8

CVE-2007-6077

  • EPSS 4.15%
  • Published 21.11.2007 21:46:00
  • Last modified 09.04.2025 00:30:58

The session fixation protection mechanism in cgi_process.rb in Rails 1.2.4, as used in Ruby on Rails, removes the :cookie_only attribute from the DEFAULT_SESSION_OPTIONS constant, which effectively causes cookie_only to be applied only to the first i...

4.3

CVE-2007-3227

Exploit
  • EPSS 12.05%
  • Published 14.06.2007 23:30:00
  • Last modified 09.04.2025 00:30:58

Cross-site scripting (XSS) vulnerability in the to_json (ActiveRecord::Base#to_json) function in Ruby on Rails before edge 9606 allows remote attackers to inject arbitrary web script via the input values.

7.5

CVE-2006-4111

  • EPSS 2.88%
  • Published 14.08.2006 21:04:00
  • Last modified 03.04.2025 01:03:51

Ruby on Rails before 1.1.5 allows remote attackers to execute Ruby code with "severe" or "serious" impact via a File Upload request with an HTTP header that modifies the LOAD_PATH variable, a different vulnerability than CVE-2006-4112.