| CVE-2011-0447 |
medium |
— |
6.8 |
|
|
|
9y ago |
Ruby on Rails 2.1.x, 2.2.x, and 2.3.x before 2.3.11, and 3.x before 3.0.4, does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers… |
| CVE-2012-2660 |
medium |
— |
6.4 |
|
|
|
9y ago |
Action Pack contains database-query restrictions bypass |
| CVE-2013-6417 |
medium |
— |
6.4 |
|
|
|
13y ago |
actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and… |
| CVE-2016-6316 |
medium |
6.1 |
6.1 |
|
|
|
10y ago |
Cross-site scripting (XSS) vulnerability in Action View in Ruby on Rails 3.x before 3.2.22.3, 4.x before 4.2.7.1, and 5.x before 5.0.0.1 might allow remote attackers to inject arbitrary web script or… |
| CVE-2013-6414 |
medium |
— |
6.0 |
|
|
|
13y ago |
actionpack/lib/action_view/lookup_context.rb in Action View in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to cause a denial of service (memory consumption) via a hea… |
| CVE-2022-23633 |
medium |
— |
5.5 |
|
|
|
4y ago |
Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `Action… |
| CVE-2021-22942 |
medium |
— |
5.5 |
|
|
|
5y ago |
A possible open redirect vulnerability in the Host Authorization middleware in Action Pack >= 6.0.0 that could allow attackers to redirect users to a malicious website. |
| CVE-2021-22885 |
medium |
— |
5.5 |
|
|
|
5y ago |
A possible information disclosure / unintended method execution vulnerability in Action Pack >= 2.0.0 when using the `redirect_to` or `polymorphic_url`helper with untrusted user input. |
| CVE-2021-22904 |
medium |
— |
5.5 |
|
|
|
5y ago |
The actionpack ruby gem before 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6 suffers from a possible denial of service vulnerability in the Token Authentication logic in Action Controller due to a too permissive … |
| CVE-2021-22903 |
medium |
— |
5.5 |
|
|
|
5y ago |
The actionpack ruby gem before 6.1.3.2 suffers from a possible open redirect vulnerability. Specially crafted Host headers in combination with certain "allowed host" formats can cause the Host Author… |
| CVE-2021-22902 |
medium |
— |
5.5 |
|
|
|
5y ago |
The actionpack ruby gem (a framework for handling and responding to web requests in Rails) before 6.0.3.7, 6.1.3.2 suffers from a possible denial of service vulnerability in the Mime type parser of A… |
| CVE-2011-3187 |
medium |
— |
5.3 |
|
|
|
9y ago |
The to_s method in actionpack/lib/action_dispatch/middleware/remote_ip.rb in Ruby on Rails 3.0.5 does not validate the X-Forwarded-For header in requests from IP addresses on a Class C network, which… |
| CVE-2016-2097 |
medium |
5.3 |
5.3 |
|
|
|
10y ago |
Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.2 and 4.x before 4.1.14.2 allows remote attackers to read arbitrary files by leveraging an application's unrestricted u… |
| CVE-2011-2929 |
medium |
— |
5.0 |
|
|
|
9y ago |
The template selection functionality in actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.10 and 3.1.x before 3.1.0.rc6 does not properly handle glob characters, which… |
| CVE-2014-7829 |
medium |
— |
5.0 |
|
|
|
12y ago |
Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.21, 4.0.x before 4.0.12, 4.1.x before 4.1.8, and 4.2.x before 4… |
| CVE-2014-0082 |
medium |
— |
5.0 |
|
|
|
13y ago |
actionpack/lib/action_view/template/text.rb in Action View in Ruby on Rails 3.x before 3.2.17 converts MIME type strings to symbols during use of the :text option to the render method, which allows r… |
| CVE-2012-3424 |
medium |
— |
5.0 |
|
|
|
14y ago |
The decode_credentials method in actionpack/lib/action_controller/metal/http_authentication.rb in Ruby on Rails 3.x before 3.0.16, 3.1.x before 3.1.7, and 3.2.x before 3.2.7 converts Digest Authentic… |
| CVE-2020-8166 |
medium |
4.3 |
4.3 |
|
|
|
6y ago |
Ability to forge per-form CSRF tokens in Rails |
| CVE-2011-0446 |
medium |
— |
4.3 |
|
|
|
9y ago |
Multiple cross-site scripting (XSS) vulnerabilities in the mail_to helper in Ruby on Rails before 2.3.11, and 3.x before 3.0.4, when javascript encoding is used, allow remote attackers to inject arbi… |
| CVE-2011-2197 |
medium |
— |
4.3 |
|
|
|
9y ago |
The cross-site scripting (XSS) prevention feature in Ruby on Rails 2.x before 2.3.12, 3.0.x before 3.0.8, and 3.1.x before 3.1.0.rc2 does not properly handle mutation of safe buffers, which makes it … |
| CVE-2011-2931 |
medium |
— |
4.3 |
|
|
|
9y ago |
Cross-site scripting (XSS) vulnerability in the strip_tags helper in actionpack/lib/action_controller/vendor/html-scanner/html/node.rb in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x b… |
| CVE-2011-4319 |
medium |
— |
4.3 |
|
|
|
9y ago |
Cross-site scripting (XSS) vulnerability in the i18n translations helper method in Ruby on Rails 3.0.x before 3.0.11 and 3.1.x before 3.1.2, and the rails_xss plugin in Ruby on Rails 2.3.x, allows re… |
| CVE-2012-2694 |
medium |
— |
4.3 |
|
|
|
9y ago |
actionpack allows remote attackers to bypass database-query restrictions, perform NULL checks via crafted request |
| CVE-2014-7818 |
medium |
— |
4.3 |
|
|
|
12y ago |
Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and 4.2.x before 4… |
| CVE-2014-0081 |
medium |
— |
4.3 |
|
|
|
13y ago |
Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 allow remot… |
| CVE-2013-6415 |
medium |
— |
4.3 |
|
|
|
13y ago |
Cross-site scripting (XSS) vulnerability in the number_to_currency helper in actionpack/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 allows remote atta… |
| CVE-2013-4491 |
medium |
— |
4.3 |
|
|
|
13y ago |
Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/translation_helper.rb in the internationalization component in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allo… |
| CVE-2013-6416 |
medium |
— |
4.3 |
|
|
|
13y ago |
Cross-site scripting (XSS) vulnerability in the simple_format helper in actionpack/lib/action_view/helpers/text_helper.rb in Ruby on Rails 4.x before 4.0.2 allows remote attackers to inject arbitrary… |
| CVE-2013-1855 |
medium |
— |
4.3 |
|
|
|
13y ago |
The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2… |
| CVE-2013-1857 |
medium |
— |
4.3 |
|
|
|
13y ago |
The sanitize helper in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 … |
| CVE-2012-3465 |
medium |
— |
4.3 |
|
|
|
14y ago |
Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/sanitize_helper.rb in the strip_tags helper in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 a… |
| CVE-2012-3463 |
medium |
— |
4.3 |
|
|
|
14y ago |
Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_tag_helper.rb in Ruby on Rails 3.x before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attacker… |
| CVE-2012-1099 |
medium |
— |
4.3 |
|
|
|
15y ago |
Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_options_helper.rb in the select helper in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3… |
| CVE-2011-3186 |
medium |
— |
4.3 |
|
|
|
15y ago |
CRLF injection vulnerability in actionpack/lib/action_controller/response.rb in Ruby on Rails 2.3.x before 2.3.13 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response sp… |
| CVE-2016-0752 |
unknown |
— |
2.5 |
|
|
|
11y ago |
Directory traversal vulnerability in Action View in Ruby on Rails allows remote attackers to read arbitrary files. |
| CVE-2014-0130 |
unknown |
— |
1.5 |
|
|
|
12y ago |
Directory traversal vulnerability in actionpack/lib/abstract_controller/base.rb in the implicit-render implementation in Ruby on Rails allows remote attackers to read arbitrary files via a crafted re… |
