Skip to main content

Rails

78 CVEs product

Monthly

CVE-2024-32464 Ruby MEDIUM PATCH This Month

Action Text brings rich text content and editing to Rails. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Rails
NVD GitHub
CVSS 3.1
6.1
EPSS
0.4%
CVE-2024-28103 Ruby CRITICAL PATCH Act Now

Action Pack is a framework for handling and responding to web requests. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Rails
NVD GitHub
CVSS 3.1
9.8
EPSS
0.7%
CVE-2024-26144 Ruby MEDIUM PATCH This Month

Rails is a web-application framework. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Rails
NVD GitHub
CVSS 3.1
5.3
EPSS
1.1%
CVE-2024-26143 Ruby MEDIUM POC PATCH This Month

Rails is a web-application framework. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Rails
NVD GitHub
CVSS 3.1
6.1
EPSS
1.0%
CVE-2024-26142 Ruby HIGH PATCH This Week

Rails is a web-application framework. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Rails
NVD GitHub
CVSS 3.1
7.5
EPSS
1.5%
CVE-2023-22797 Ruby MEDIUM PATCH This Month

An open redirect vulnerability is fixed in Rails 7.0.4.1 with the new protection against open redirects from calling redirect_to with untrusted user input. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect Actionpack Rails
NVD
CVSS 3.1
6.1
EPSS
0.6%
CVE-2023-22795 Ruby HIGH PATCH This Week

A regular expression based DoS vulnerability in Action Dispatch <6.1.7.1 and <7.0.4.1 related to the If-None-Match header. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Rails Debian Linux
NVD
CVSS 3.1
7.5
EPSS
2.3%
CVE-2023-22792 Ruby HIGH PATCH This Week

A regular expression based DoS vulnerability in Action Dispatch <6.0.6.1,< 6.1.7.1, and <7.0.4.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Rails
NVD
CVSS 3.1
7.5
EPSS
1.7%
CVE-2022-3704 MEDIUM POC PATCH This Month

A vulnerability classified as problematic has been found in Ruby on Rails. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Rails
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.7%
CVE-2021-22942 Ruby MEDIUM PATCH This Month

A possible open redirect vulnerability in the Host Authorization middleware in Action Pack >= 6.0.0 that could allow attackers to redirect users to a malicious website. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Open Redirect Rails
NVD
CVSS 3.1
6.1
EPSS
1.6%
CVE-2021-22904 Ruby HIGH POC PATCH This Week

The actionpack ruby gem before 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6 suffers from a possible denial of service vulnerability in the Token Authentication logic in Action Controller due to a too permissive. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Rails
NVD
CVSS 3.1
7.5
EPSS
4.8%
CVE-2021-22903 Ruby MEDIUM PATCH This Month

The actionpack ruby gem before 6.1.3.2 suffers from a possible open redirect vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Open Redirect Rails
NVD
CVSS 3.1
6.1
EPSS
1.2%
CVE-2021-22902 Ruby HIGH POC PATCH This Week

The actionpack ruby gem (a framework for handling and responding to web requests in Rails) before 6.0.3.7, 6.1.3.2 suffers from a possible denial of service vulnerability in the Mime type parser of. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Rails
NVD
CVSS 3.1
7.5
EPSS
2.8%
CVE-2021-22885 Ruby HIGH POC PATCH This Week

A possible information disclosure / unintended method execution vulnerability in Action Pack >= 2.0.0 when using the `redirect_to` or `polymorphic_url`helper with untrusted user input. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Rails Actionpack Page Caching Debian Linux
NVD
CVSS 3.1
7.5
EPSS
4.2%
CVE-2021-22881 Ruby MEDIUM POC PATCH THREAT This Month

The Host Authorization middleware in Action Pack before 6.1.2.1, 6.0.3.5 suffers from an open redirect vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Open Redirect Rails Fedora
NVD
CVSS 3.1
6.1
EPSS
87.3%
CVE-2021-22880 Ruby HIGH POC PATCH This Week

The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

PostgreSQL Denial Of Service Rails Fedora
NVD
CVSS 3.1
7.5
EPSS
4.4%
CVE-2020-8185 Ruby MEDIUM PATCH This Month

A denial of service vulnerability exists in Rails <6.0.3.2 that allowed an untrusted user to run any pending migrations on a Rails app running in production. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Rails Fedora
NVD
CVSS 3.1
6.5
EPSS
2.2%
CVE-2020-8166 Ruby MEDIUM POC PATCH This Month

A CSRF forgery vulnerability exists in rails < 5.2.5, rails < 6.0.4 that makes it possible for an attacker to, given a global CSRF token such as the one present in the authenticity_token meta tag,. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

CSRF Rails Debian Linux
NVD
CVSS 3.1
4.3
EPSS
0.4%
CVE-2020-8163 Ruby HIGH POC PATCH THREAT This Week

The is a code injection vulnerability in versions of Rails prior to 5.0.1 that wouldallow an attacker who controlled the `locals` argument of a `render` call to perform a RCE. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE Code Injection Rails Debian Linux
NVD Exploit-DB
CVSS 3.1
8.8
EPSS
83.1%
CVE-2020-8167 Ruby MEDIUM POC PATCH This Month

A CSRF vulnerability exists in rails <= 6.0.3 rails-ujs module that could allow attackers to send CSRF tokens to wrong domains. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

CSRF Rails Debian Linux
NVD
CVSS 3.1
6.5
EPSS
1.5%
CVE-2020-8165 Ruby CRITICAL POC PATCH THREAT Act Now

A deserialization of untrusted data vulnernerability exists in rails < 5.2.4.3, rails < 6.0.3.1 that can allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization Rails Debian Linux Leap
NVD
CVSS 3.1
9.8
EPSS
45.7%
CVE-2020-8164 Ruby HIGH POC PATCH This Week

A deserialization of untrusted data vulnerability exists in rails < 5.2.4.3, rails < 6.0.3.1 which can allow an attacker to supply information can be inadvertently leaked fromStrong Parameters. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization Rails Debian Linux Backports Sle Leap
NVD
CVSS 3.1
7.5
EPSS
4.2%
CVE-2020-8162 Ruby HIGH POC PATCH This Week

A client side enforcement of server side security vulnerability exists in rails < 5.2.4.2 and rails < 6.0.3.1 ActiveStorage's S3 adapter that allows the Content-Length of a direct file upload to be. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

File Upload Rails Debian Linux
NVD
CVSS 3.1
7.5
EPSS
3.1%
CVE-2019-5420 Ruby CRITICAL POC PATCH THREAT Act Now

A remote code execution vulnerability in development mode Rails <5.2.2.1, <6.0.0.beta3 can allow an attacker to guess the automatically generated development mode secret token. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Command Injection Rails Debian Linux Fedora
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
92.1%
CVE-2019-5419 Ruby HIGH POC PATCH This Week

There is a possible denial of service vulnerability in Action View (Rails) <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 where specially crafted accept headers can cause action view to consume 100% cpu and. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Rails Debian Linux Cloudforms Software Collections +2
NVD
CVSS 3.1
7.5
EPSS
8.7%
CVE-2019-5418 Ruby HIGH POC KEV PATCH THREAT This Week

There is a File Content Disclosure vulnerability in Action View <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 and v3 where specially crafted accept headers can cause contents of arbitrary files on the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Path Traversal Rails Debian Linux Cloudforms Leap +2
NVD Exploit-DB
CVSS 3.1
7.5
EPSS
98.5%
CVE-2018-16477 Ruby MEDIUM POC PATCH This Month

A bypass vulnerability in Active Storage >= 5.2.0 for Google Cloud Storage and Disk services allow an attacker to modify the `content-disposition` and `content-type` parameters which can be used in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Google Information Disclosure Rails
NVD
CVSS 3.0
6.5
EPSS
1.3%
CVE-2018-16476 Ruby HIGH POC PATCH This Week

A Broken Access Control vulnerability in Active Job versions >= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Rails Cloudforms
NVD
CVSS 3.0
7.5
EPSS
2.6%
CVE-2017-17917 HIGH POC This Week

SQL injection vulnerability in the 'where' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'id' parameter. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

SQLi Rails
NVD
CVSS 3.1
8.1
EPSS
1.8%
CVE-2017-17916 HIGH POC This Week

SQL injection vulnerability in the 'find_by' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'name' parameter. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

SQLi Rails
NVD
CVSS 3.1
8.1
EPSS
0.6%
CVE-2016-6317 Ruby HIGH PATCH This Week

Action Record in Ruby on Rails 4.2.x before 4.2.7.1 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Rails
NVD
CVSS 3.0
7.5
EPSS
0.4%
CVE-2016-6316 Ruby MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in Action View in Ruby on Rails 3.x before 3.2.22.3, 4.x before 4.2.7.1, and 5.x before 5.0.0.1 might allow remote attackers to inject arbitrary web script or. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Rails Ruby On Rails Debian Linux
NVD
CVSS 3.0
6.1
EPSS
1.6%
CVE-2016-2098 Ruby HIGH POC PATCH THREAT Act Now

Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 87.4%.

RCE Debian Linux Rails Ruby On Rails
NVD Exploit-DB
CVSS 3.0
7.3
EPSS
87.4%
Threat
5.6
CVE-2016-2097 Ruby MEDIUM PATCH This Month

Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.2 and 4.x before 4.1.14.2 allows remote attackers to read arbitrary files by leveraging an application's unrestricted. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Rails Ruby On Rails
NVD
CVSS 3.0
5.3
EPSS
1.9%
CVE-2016-0753 Ruby MEDIUM PATCH This Month

Active Model in Ruby on Rails 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 supports the use of instance-level writers for class accessors, which allows remote attackers. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Rails Debian Linux Fedora Leap
NVD
CVSS 3.1
5.3
EPSS
2.3%
CVE-2016-0751 Ruby HIGH PATCH This Week

actionpack/lib/action_dispatch/http/mime_type.rb in Action Pack in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Rails Ruby On Rails
NVD
CVSS 3.0
7.5
EPSS
6.1%
CVE-2015-7581 Ruby HIGH PATCH This Week

actionpack/lib/action_dispatch/routing/route_set.rb in Action Pack in Ruby on Rails 4.x before 4.2.5.1 and 5.x before 5.0.0.beta1.1 allows remote attackers to cause a denial of service (superfluous. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Rails
NVD
CVSS 3.0
7.5
EPSS
7.1%
CVE-2015-7577 Ruby MEDIUM PATCH This Month

activerecord/lib/active_record/nested_attributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Rails Ruby On Rails
NVD
CVSS 3.0
5.3
EPSS
1.2%
CVE-2015-7576 Ruby LOW PATCH Monitor

The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required.

Authentication Bypass Rails Ruby On Rails
NVD
CVSS 3.0
3.7
EPSS
1.6%
CVE-2015-3227 Ruby MEDIUM PATCH This Month

The (1) jdom.rb and (2) rexml.rb components in Active Support in Ruby on Rails before 4.1.11 and 4.2.x before 4.2.2, when JDOM or REXML is enabled, allow remote attackers to cause a denial of service. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Opensuse Rails
NVD
CVSS 2.0
5.0
EPSS
2.7%
CVE-2015-3226 Ruby MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in json/encoding.rb in Active Support in Ruby on Rails 3.x and 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XSS Rails Ruby On Rails
NVD
CVSS 2.0
4.3
EPSS
0.2%
CVE-2014-7829 Ruby MEDIUM POC PATCH This Month

Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.21, 4.0.x before 4.0.12, 4.1.x before 4.1.8, and 4.2.x before. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Path Traversal Opensuse Rails Ruby On Rails
NVD
CVSS 2.0
5.0
EPSS
0.3%
CVE-2014-3916 MEDIUM This Month

The str_buf_cat function in string.c in Ruby 1.9.3, 2.0.0, and 2.1 allows context-dependent attackers to cause a denial of service (segmentation fault and crash) via a long string. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Rails
NVD
CVSS 2.0
5.0
EPSS
0.5%
CVE-2014-7818 Ruby MEDIUM PATCH This Month

Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and 4.2.x before. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Rails Ruby On Rails Opensuse
NVD
CVSS 2.0
4.3
EPSS
0.2%
CVE-2014-3514 Ruby HIGH PATCH This Week

activerecord/lib/active_record/relation/query_methods.rb in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

Privilege Escalation Rails
NVD
CVSS 2.0
7.5
EPSS
0.3%
CVE-2014-3483 Ruby HIGH PATCH This Week

SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 4.x before 4.0.7 and 4.1.x before. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

SQLi PostgreSQL Rails
NVD
CVSS 2.0
7.5
EPSS
0.9%
CVE-2014-3482 Ruby HIGH PATCH This Week

SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 2.x and 3.x before 3.2.19 allows. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

SQLi PostgreSQL Rails Ruby On Rails
NVD
CVSS 2.0
7.5
EPSS
1.5%
CVE-2014-0082 Ruby MEDIUM PATCH This Month

actionpack/lib/action_view/template/text.rb in Action View in Ruby on Rails 3.x before 3.2.17 converts MIME type strings to symbols during use of the :text option to the render method, which allows. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Rails Ruby On Rails
NVD
CVSS 2.0
5.0
EPSS
6.5%
CVE-2014-0081 Ruby MEDIUM PATCH This Month

Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 allow. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XSS Rails Ruby On Rails Opensuse Cloudforms +1
NVD
CVSS 2.0
4.3
EPSS
0.9%
CVE-2014-0080 Ruby MEDIUM PATCH This Month

SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/cast.rb in Active Record in Ruby on Rails 4.0.x before 4.0.3, and 4.1.0.beta1, when PostgreSQL is used,. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable.

SQLi PostgreSQL Rails
NVD
CVSS 2.0
6.8
EPSS
0.2%
CVE-2013-6417 Ruby MEDIUM PATCH This Month

actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity.

Privilege Escalation Rails Ruby On Rails
NVD
CVSS 2.0
6.4
EPSS
0.5%
CVE-2013-6416 Ruby MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in the simple_format helper in actionpack/lib/action_view/helpers/text_helper.rb in Ruby on Rails 4.x before 4.0.2 allows remote attackers to inject arbitrary. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XSS Rails
NVD
CVSS 2.0
4.3
EPSS
0.2%
CVE-2013-6415 Ruby MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in the number_to_currency helper in actionpack/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 allows remote. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XSS Rails Ruby On Rails
NVD
CVSS 2.0
4.3
EPSS
1.5%
CVE-2013-6414 Ruby MEDIUM POC PATCH THREAT This Month

actionpack/lib/action_view/lookup_context.rb in Action View in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to cause a denial of service (memory consumption) via a. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 70.8%.

Denial Of Service Rails Ruby On Rails
NVD
CVSS 2.0
5.0
EPSS
70.8%
Threat
4.6
CVE-2013-4491 Ruby MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/translation_helper.rb in the internationalization component in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XSS Rails Ruby On Rails
NVD
CVSS 2.0
4.3
EPSS
0.7%
CVE-2013-4389 Ruby MEDIUM POC PATCH This Month

Multiple format string vulnerabilities in log_subscriber.rb files in the log subscriber component in Action Mailer in Ruby on Rails 3.x before 3.2.15 allow remote attackers to cause a denial of. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available.

Denial Of Service Rails Opensuse Debian Linux
NVD
CVSS 2.0
4.3
EPSS
1.3%
CVE-2013-3221 Ruby MEDIUM POC PATCH This Month

The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, and 3.2.x does not ensure that the declared data type of a database column is used during comparisons of input values to stored. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Code Injection Rails Ruby On Rails
NVD GitHub
CVSS 2.0
6.4
EPSS
0.5%
CVE-2013-1857 Ruby MEDIUM PATCH This Month

The sanitize helper in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Enterprise Linux Rails Ruby On Rails
NVD
CVSS 2.0
4.3
EPSS
0.6%
CVE-2013-1856 Ruby MEDIUM PATCH This Month

The ActiveSupport::XmlMini_JDOM backend in lib/active_support/xml_mini/jdom.rb in the Active Support component in Ruby on Rails 3.0.x and 3.1.x before 3.1.12 and 3.2.x before 3.2.13, when JRuby is. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable.

Denial Of Service Rails Ruby On Rails
NVD
CVSS 2.0
5.8
EPSS
0.7%
CVE-2013-1855 Ruby MEDIUM PATCH This Month

The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Rails Ruby On Rails Enterprise Linux
NVD
CVSS 2.0
4.3
EPSS
0.5%
CVE-2013-1854 Ruby MEDIUM PATCH This Month

The Active Record component in Ruby on Rails 2.3.x before 2.3.18, 3.1.x before 3.1.12, and 3.2.x before 3.2.13 processes certain queries by converting hash keys to symbols, which allows remote. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Rails Ruby On Rails Enterprise Linux
NVD
CVSS 2.0
5.0
EPSS
1.8%
CVE-2013-0277 Ruby CRITICAL PATCH Act Now

ActiveRecord in Ruby on Rails before 2.3.17 and 3.x before 3.1.0 allows remote attackers to cause a denial of service or execute arbitrary code via crafted serialized attributes that cause the. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service RCE Rails Ruby On Rails
NVD
CVSS 2.0
10.0
EPSS
6.7%
CVE-2013-0276 Ruby MEDIUM PATCH This Month

ActiveRecord in Ruby on Rails before 2.3.17, 3.1.x before 3.1.11, and 3.2.x before 3.2.12 allows remote attackers to bypass the attr_protected protection mechanism and modify protected model. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Privilege Escalation Rails
NVD
CVSS 2.0
4.3
EPSS
0.6%
CVE-2013-0333 Ruby HIGH POC PATCH THREAT Act Now

lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 91.9%.

SQLi RCE Rails Ruby On Rails
NVD Exploit-DB
CVSS 2.0
7.5
EPSS
91.9%
Threat
5.8
CVE-2013-0156 Ruby HIGH POC PATCH THREAT Act Now

active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 91.9%.

Denial Of Service RCE Rails Ruby On Rails Debian Linux
NVD Exploit-DB
CVSS 2.0
7.5
EPSS
91.9%
Threat
5.8
CVE-2013-0155 Ruby MEDIUM PATCH This Month

Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly consider differences in parameter handling between the Active Record component and the JSON. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 18.2%.

Privilege Escalation Rails Ruby On Rails Debian Linux
NVD
CVSS 2.0
6.4
EPSS
18.2%
CVE-2012-6497 Ruby MEDIUM POC PATCH This Month

The Authlogic gem for Ruby on Rails, when used with certain versions before 3.2.10, makes potentially unsafe find_by_id method calls, which might allow remote attackers to conduct CVE-2012-6496 SQL. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SQLi Rails
NVD
CVSS 2.0
5.0
EPSS
0.4%
CVE-2012-6496 Ruby HIGH POC PATCH This Week

SQL injection vulnerability in the Active Record component in Ruby on Rails before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SQLi Rails Ruby On Rails
NVD
CVSS 2.0
7.5
EPSS
1.0%
CVE-2012-3465 Ruby MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/sanitize_helper.rb in the strip_tags helper in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XSS Rails Ruby On Rails
NVD
CVSS 2.0
4.3
EPSS
0.3%
CVE-2012-3464 Ruby MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 might allow. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XSS Rails Ruby On Rails
NVD
CVSS 2.0
4.3
EPSS
0.3%
CVE-2012-3463 Ruby MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_tag_helper.rb in Ruby on Rails 3.x before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XSS Rails Ruby On Rails
NVD
CVSS 2.0
4.3
EPSS
0.3%
CVE-2012-3424 Ruby MEDIUM PATCH This Month

The decode_credentials method in actionpack/lib/action_controller/metal/http_authentication.rb in Ruby on Rails 3.x before 3.0.16, 3.1.x before 3.1.7, and 3.2.x before 3.2.7 converts Digest. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Denial Of Service Authentication Bypass Rails Ruby On Rails
NVD
CVSS 2.0
5.0
EPSS
1.0%
CVE-2012-2695 Ruby HIGH POC PATCH This Week

The Active Record component in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the passing of request data to a where method in an ActiveRecord. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SQLi Rails Ruby On Rails
NVD
CVSS 2.0
7.5
EPSS
0.6%
CVE-2012-2694 Ruby MEDIUM POC PATCH This Month

actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly consider differences in parameter handling between the. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available.

Privilege Escalation Rails Ruby On Rails
NVD
CVSS 2.0
4.3
EPSS
0.2%
CVE-2012-2661 Ruby MEDIUM POC PATCH This Month

The Active Record component in Ruby on Rails 3.0.x before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly implement the passing of request data to a where method in an. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SQLi Rails Ruby On Rails
NVD
CVSS 2.0
5.0
EPSS
0.7%
CVE-2012-2660 Ruby MEDIUM POC PATCH This Month

actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly consider differences in parameter handling between the. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Privilege Escalation Rails Ruby On Rails
NVD
CVSS 2.0
6.4
EPSS
0.3%
CVE-2012-1099 Ruby MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_options_helper.rb in the select helper in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XSS Rails Ruby On Rails
NVD
CVSS 2.0
4.3
EPSS
0.4%
CVE-2012-1098 Ruby MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XSS Rails Ruby On Rails
NVD
CVSS 2.0
4.3
EPSS
0.4%
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Action Text brings rich text content and editing to Rails. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Rails
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Action Pack is a framework for handling and responding to web requests. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Rails
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Rails is a web-application framework. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Rails
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC PATCH This Month

Rails is a web-application framework. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Rails
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Rails is a web-application framework. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Rails
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

An open redirect vulnerability is fixed in Rails 7.0.4.1 with the new protection against open redirects from calling redirect_to with untrusted user input. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect Actionpack Rails
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

A regular expression based DoS vulnerability in Action Dispatch <6.1.7.1 and <7.0.4.1 related to the If-None-Match header. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Rails Debian Linux
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

A regular expression based DoS vulnerability in Action Dispatch <6.0.6.1,< 6.1.7.1, and <7.0.4.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Rails
NVD
EPSS 1% CVSS 5.4
MEDIUM POC PATCH This Month

A vulnerability classified as problematic has been found in Ruby on Rails. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Rails
NVD GitHub VulDB
EPSS 2% CVSS 6.1
MEDIUM PATCH This Month

A possible open redirect vulnerability in the Host Authorization middleware in Action Pack >= 6.0.0 that could allow attackers to redirect users to a malicious website. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Open Redirect Rails
NVD
EPSS 5% CVSS 7.5
HIGH POC PATCH This Week

The actionpack ruby gem before 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6 suffers from a possible denial of service vulnerability in the Token Authentication logic in Action Controller due to a too permissive. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Rails
NVD
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

The actionpack ruby gem before 6.1.3.2 suffers from a possible open redirect vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Open Redirect Rails
NVD
EPSS 3% CVSS 7.5
HIGH POC PATCH This Week

The actionpack ruby gem (a framework for handling and responding to web requests in Rails) before 6.0.3.7, 6.1.3.2 suffers from a possible denial of service vulnerability in the Mime type parser of. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Rails
NVD
EPSS 4% CVSS 7.5
HIGH POC PATCH This Week

A possible information disclosure / unintended method execution vulnerability in Action Pack >= 2.0.0 when using the `redirect_to` or `polymorphic_url`helper with untrusted user input. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Rails Actionpack Page Caching +1
NVD
EPSS 87% CVSS 6.1
MEDIUM POC PATCH THREAT This Month

The Host Authorization middleware in Action Pack before 6.1.2.1, 6.0.3.5 suffers from an open redirect vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Open Redirect Rails Fedora
NVD
EPSS 4% CVSS 7.5
HIGH POC PATCH This Week

The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

PostgreSQL Denial Of Service Rails +1
NVD
EPSS 2% CVSS 6.5
MEDIUM PATCH This Month

A denial of service vulnerability exists in Rails <6.0.3.2 that allowed an untrusted user to run any pending migrations on a Rails app running in production. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Rails Fedora
NVD
EPSS 0% CVSS 4.3
MEDIUM POC PATCH This Month

A CSRF forgery vulnerability exists in rails < 5.2.5, rails < 6.0.4 that makes it possible for an attacker to, given a global CSRF token such as the one present in the authenticity_token meta tag,. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

CSRF Rails Debian Linux
NVD
EPSS 83% CVSS 8.8
HIGH POC PATCH THREAT This Week

The is a code injection vulnerability in versions of Rails prior to 5.0.1 that wouldallow an attacker who controlled the `locals` argument of a `render` call to perform a RCE. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE Code Injection Rails +1
NVD Exploit-DB
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

A CSRF vulnerability exists in rails <= 6.0.3 rails-ujs module that could allow attackers to send CSRF tokens to wrong domains. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

CSRF Rails Debian Linux
NVD
EPSS 46% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

A deserialization of untrusted data vulnernerability exists in rails < 5.2.4.3, rails < 6.0.3.1 that can allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization Rails Debian Linux +1
NVD
EPSS 4% CVSS 7.5
HIGH POC PATCH This Week

A deserialization of untrusted data vulnerability exists in rails < 5.2.4.3, rails < 6.0.3.1 which can allow an attacker to supply information can be inadvertently leaked fromStrong Parameters. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization Rails Debian Linux +2
NVD
EPSS 3% CVSS 7.5
HIGH POC PATCH This Week

A client side enforcement of server side security vulnerability exists in rails < 5.2.4.2 and rails < 6.0.3.1 ActiveStorage's S3 adapter that allows the Content-Length of a direct file upload to be. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

File Upload Rails Debian Linux
NVD
EPSS 92% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

A remote code execution vulnerability in development mode Rails <5.2.2.1, <6.0.0.beta3 can allow an attacker to guess the automatically generated development mode secret token. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Command Injection Rails +2
NVD Exploit-DB
EPSS 9% CVSS 7.5
HIGH POC PATCH This Week

There is a possible denial of service vulnerability in Action View (Rails) <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 where specially crafted accept headers can cause action view to consume 100% cpu and. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Rails Debian Linux +4
NVD
EPSS 99% CVSS 7.5
HIGH POC KEV PATCH THREAT This Week

There is a File Content Disclosure vulnerability in Action View <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 and v3 where specially crafted accept headers can cause contents of arbitrary files on the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Path Traversal Rails Debian Linux +4
NVD Exploit-DB
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

A bypass vulnerability in Active Storage >= 5.2.0 for Google Cloud Storage and Disk services allow an attacker to modify the `content-disposition` and `content-type` parameters which can be used in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Google Information Disclosure Rails
NVD
EPSS 3% CVSS 7.5
HIGH POC PATCH This Week

A Broken Access Control vulnerability in Active Job versions >= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Rails Cloudforms
NVD
EPSS 2% CVSS 8.1
HIGH POC This Week

SQL injection vulnerability in the 'where' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'id' parameter. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

SQLi Rails
NVD
EPSS 1% CVSS 8.1
HIGH POC This Week

SQL injection vulnerability in the 'find_by' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'name' parameter. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

SQLi Rails
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Action Record in Ruby on Rails 4.2.x before 4.2.7.1 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Rails
NVD
EPSS 2% CVSS 6.1
MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in Action View in Ruby on Rails 3.x before 3.2.22.3, 4.x before 4.2.7.1, and 5.x before 5.0.0.1 might allow remote attackers to inject arbitrary web script or. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Rails Ruby On Rails +1
NVD
EPSS 87% 5.6 CVSS 7.3
HIGH POC PATCH THREAT Act Now

Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 87.4%.

RCE Debian Linux Rails +1
NVD Exploit-DB
EPSS 2% CVSS 5.3
MEDIUM PATCH This Month

Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.2 and 4.x before 4.1.14.2 allows remote attackers to read arbitrary files by leveraging an application's unrestricted. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Rails Ruby On Rails
NVD
EPSS 2% CVSS 5.3
MEDIUM PATCH This Month

Active Model in Ruby on Rails 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 supports the use of instance-level writers for class accessors, which allows remote attackers. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Rails Debian Linux +2
NVD
EPSS 6% CVSS 7.5
HIGH PATCH This Week

actionpack/lib/action_dispatch/http/mime_type.rb in Action Pack in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Rails Ruby On Rails
NVD
EPSS 7% CVSS 7.5
HIGH PATCH This Week

actionpack/lib/action_dispatch/routing/route_set.rb in Action Pack in Ruby on Rails 4.x before 4.2.5.1 and 5.x before 5.0.0.beta1.1 allows remote attackers to cause a denial of service (superfluous. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Rails
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

activerecord/lib/active_record/nested_attributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Rails Ruby On Rails
NVD
EPSS 2% CVSS 3.7
LOW PATCH Monitor

The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required.

Authentication Bypass Rails Ruby On Rails
NVD
EPSS 3% CVSS 5.0
MEDIUM PATCH This Month

The (1) jdom.rb and (2) rexml.rb components in Active Support in Ruby on Rails before 4.1.11 and 4.2.x before 4.2.2, when JDOM or REXML is enabled, allow remote attackers to cause a denial of service. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Opensuse Rails
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in json/encoding.rb in Active Support in Ruby on Rails 3.x and 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XSS Rails Ruby On Rails
NVD
EPSS 0% CVSS 5.0
MEDIUM POC PATCH This Month

Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.21, 4.0.x before 4.0.12, 4.1.x before 4.1.8, and 4.2.x before. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Path Traversal Opensuse Rails +1
NVD
EPSS 0% CVSS 5.0
MEDIUM This Month

The str_buf_cat function in string.c in Ruby 1.9.3, 2.0.0, and 2.1 allows context-dependent attackers to cause a denial of service (segmentation fault and crash) via a long string. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Rails
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and 4.2.x before. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Rails Ruby On Rails +1
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

activerecord/lib/active_record/relation/query_methods.rb in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

Privilege Escalation Rails
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 4.x before 4.0.7 and 4.1.x before. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

SQLi PostgreSQL Rails
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 2.x and 3.x before 3.2.19 allows. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

SQLi PostgreSQL Rails +1
NVD
EPSS 6% CVSS 5.0
MEDIUM PATCH This Month

actionpack/lib/action_view/template/text.rb in Action View in Ruby on Rails 3.x before 3.2.17 converts MIME type strings to symbols during use of the :text option to the render method, which allows. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Rails Ruby On Rails
NVD
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 allow. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XSS Rails Ruby On Rails +3
NVD
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/cast.rb in Active Record in Ruby on Rails 4.0.x before 4.0.3, and 4.1.0.beta1, when PostgreSQL is used,. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable.

SQLi PostgreSQL Rails
NVD
EPSS 1% CVSS 6.4
MEDIUM PATCH This Month

actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity.

Privilege Escalation Rails Ruby On Rails
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in the simple_format helper in actionpack/lib/action_view/helpers/text_helper.rb in Ruby on Rails 4.x before 4.0.2 allows remote attackers to inject arbitrary. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XSS Rails
NVD
EPSS 2% CVSS 4.3
MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in the number_to_currency helper in actionpack/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 allows remote. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XSS Rails Ruby On Rails
NVD
EPSS 71% 4.6 CVSS 5.0
MEDIUM POC PATCH THREAT This Month

actionpack/lib/action_view/lookup_context.rb in Action View in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to cause a denial of service (memory consumption) via a. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 70.8%.

Denial Of Service Rails Ruby On Rails
NVD
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/translation_helper.rb in the internationalization component in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XSS Rails Ruby On Rails
NVD
EPSS 1% CVSS 4.3
MEDIUM POC PATCH This Month

Multiple format string vulnerabilities in log_subscriber.rb files in the log subscriber component in Action Mailer in Ruby on Rails 3.x before 3.2.15 allow remote attackers to cause a denial of. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available.

Denial Of Service Rails Opensuse +1
NVD
EPSS 0% CVSS 6.4
MEDIUM POC PATCH This Month

The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, and 3.2.x does not ensure that the declared data type of a database column is used during comparisons of input values to stored. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Code Injection Rails Ruby On Rails
NVD GitHub
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

The sanitize helper in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Enterprise Linux Rails +1
NVD
EPSS 1% CVSS 5.8
MEDIUM PATCH This Month

The ActiveSupport::XmlMini_JDOM backend in lib/active_support/xml_mini/jdom.rb in the Active Support component in Ruby on Rails 3.0.x and 3.1.x before 3.1.12 and 3.2.x before 3.2.13, when JRuby is. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable.

Denial Of Service Rails Ruby On Rails
NVD
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Rails Ruby On Rails +1
NVD
EPSS 2% CVSS 5.0
MEDIUM PATCH This Month

The Active Record component in Ruby on Rails 2.3.x before 2.3.18, 3.1.x before 3.1.12, and 3.2.x before 3.2.13 processes certain queries by converting hash keys to symbols, which allows remote. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Rails Ruby On Rails +1
NVD
EPSS 7% CVSS 10.0
CRITICAL PATCH Act Now

ActiveRecord in Ruby on Rails before 2.3.17 and 3.x before 3.1.0 allows remote attackers to cause a denial of service or execute arbitrary code via crafted serialized attributes that cause the. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service RCE Rails +1
NVD
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

ActiveRecord in Ruby on Rails before 2.3.17, 3.1.x before 3.1.11, and 3.2.x before 3.2.12 allows remote attackers to bypass the attr_protected protection mechanism and modify protected model. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Privilege Escalation Rails
NVD
EPSS 92% 5.8 CVSS 7.5
HIGH POC PATCH THREAT Act Now

lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 91.9%.

SQLi RCE Rails +1
NVD Exploit-DB
EPSS 92% 5.8 CVSS 7.5
HIGH POC PATCH THREAT Act Now

active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 91.9%.

Denial Of Service RCE Rails +2
NVD Exploit-DB
EPSS 18% CVSS 6.4
MEDIUM PATCH This Month

Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly consider differences in parameter handling between the Active Record component and the JSON. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 18.2%.

Privilege Escalation Rails Ruby On Rails +1
NVD
EPSS 0% CVSS 5.0
MEDIUM POC PATCH This Month

The Authlogic gem for Ruby on Rails, when used with certain versions before 3.2.10, makes potentially unsafe find_by_id method calls, which might allow remote attackers to conduct CVE-2012-6496 SQL. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SQLi Rails
NVD
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

SQL injection vulnerability in the Active Record component in Ruby on Rails before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SQLi Rails Ruby On Rails
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/sanitize_helper.rb in the strip_tags helper in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XSS Rails Ruby On Rails
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 might allow. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XSS Rails Ruby On Rails
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_tag_helper.rb in Ruby on Rails 3.x before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XSS Rails Ruby On Rails
NVD
EPSS 1% CVSS 5.0
MEDIUM PATCH This Month

The decode_credentials method in actionpack/lib/action_controller/metal/http_authentication.rb in Ruby on Rails 3.x before 3.0.16, 3.1.x before 3.1.7, and 3.2.x before 3.2.7 converts Digest. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Denial Of Service Authentication Bypass Rails +1
NVD
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

The Active Record component in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the passing of request data to a where method in an ActiveRecord. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SQLi Rails Ruby On Rails
NVD
EPSS 0% CVSS 4.3
MEDIUM POC PATCH This Month

actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly consider differences in parameter handling between the. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available.

Privilege Escalation Rails Ruby On Rails
NVD
EPSS 1% CVSS 5.0
MEDIUM POC PATCH This Month

The Active Record component in Ruby on Rails 3.0.x before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly implement the passing of request data to a where method in an. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SQLi Rails Ruby On Rails
NVD
EPSS 0% CVSS 6.4
MEDIUM POC PATCH This Month

actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly consider differences in parameter handling between the. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Privilege Escalation Rails Ruby On Rails
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_options_helper.rb in the select helper in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XSS Rails Ruby On Rails
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XSS Rails Ruby On Rails
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy