| CVE-2013-0277 |
critical |
— |
10.0 |
|
|
|
14y ago |
ActiveRecord in Ruby on Rails before 2.3.17 and 3.x before 3.1.0 allows remote attackers to cause a denial of service or execute arbitrary code via crafted serialized attributes that cause the +seria… |
| CVE-2022-32224 |
critical |
9.8 |
9.8 |
|
|
|
4y ago |
Active Record RCE bug with Serialized Columns |
| CVE-2023-22794 |
high |
— |
8.0 |
|
|
|
3y ago |
A vulnerability in ActiveRecord <6.0.6.1, v6.1.7.1 and v7.0.4.1 related to the sanitization of comments. If malicious user input is passed to either the `annotate` query method, the `optimizer_hints`… |
| CVE-2022-44566 |
high |
— |
8.0 |
|
|
|
3y ago |
A denial of service vulnerability present in ActiveRecord's PostgreSQL adapter <7.0.4.1 and <6.1.7.1. When a value outside the range for a 64bit signed integer is provided to the PostgreSQL connectio… |
| CVE-2012-2695 |
high |
— |
7.5 |
|
|
|
9y ago |
activerecord vulnerable to SQL Injection |
| CVE-2011-0448 |
high |
— |
7.5 |
|
|
|
9y ago |
Ruby on Rails 3.0.x before 3.0.4 does not ensure that arguments to the limit function specify integer values, which makes it easier for remote attackers to conduct SQL injection attacks via a non-num… |
| CVE-2011-2930 |
high |
— |
7.5 |
|
|
|
9y ago |
Multiple SQL injection vulnerabilities in the quote_table_name method in the ActiveRecord adapters in activerecord/lib/active_record/connection_adapters/ in Ruby on Rails before 2.3.13, 3.0.x before … |
| CVE-2016-6317 |
high |
7.5 |
7.5 |
|
|
|
10y ago |
Action Record in Ruby on Rails 4.2.x before 4.2.7.1 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote a… |
| CVE-2014-3514 |
high |
— |
7.5 |
|
|
|
12y ago |
activerecord/lib/active_record/relation/query_methods.rb in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection… |
| CVE-2014-3482 |
high |
— |
7.5 |
|
|
|
12y ago |
SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 2.x and 3.x before 3.2.19 allows r… |
| CVE-2014-3483 |
high |
— |
7.5 |
|
|
|
12y ago |
SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 4.x before 4.0.7 and 4.1.x before … |
| CVE-2012-6496 |
high |
— |
7.5 |
|
|
|
14y ago |
SQL injection vulnerability in the Active Record component in Ruby on Rails before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a … |
| CVE-2014-0080 |
medium |
— |
6.8 |
|
|
|
13y ago |
SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/cast.rb in Active Record in Ruby on Rails 4.0.x before 4.0.3, and 4.1.0.beta1, when PostgreSQL is used, al… |
| CVE-2010-3933 |
medium |
— |
6.4 |
|
|
|
9y ago |
Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs. |
| CVE-2012-2660 |
medium |
— |
6.4 |
|
|
|
9y ago |
Action Pack contains database-query restrictions bypass |
| CVE-2013-3221 |
medium |
— |
6.4 |
|
|
|
13y ago |
The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, and 3.2.x does not ensure that the declared data type of a database column is used during comparisons of input values to stored value… |
| CVE-2013-0155 |
medium |
— |
6.4 |
|
|
|
14y ago |
Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly consider differences in parameter handling between the Active Record component and the JSON implement… |
| CVE-2015-7577 |
medium |
5.3 |
5.3 |
|
|
|
11y ago |
activerecord/lib/active_record/nested_attributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta… |
| CVE-2013-1854 |
medium |
— |
5.0 |
|
|
|
13y ago |
The Active Record component in Ruby on Rails 2.3.x before 2.3.18, 3.1.x before 3.1.12, and 3.2.x before 3.2.13 processes certain queries by converting hash keys to symbols, which allows remote attack… |
| CVE-2012-2661 |
medium |
— |
5.0 |
|
|
|
14y ago |
The Active Record component in Ruby on Rails 3.0.x before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly implement the passing of request data to a where method in an ActiveReco… |
| CVE-2013-0276 |
medium |
— |
4.3 |
|
|
|
14y ago |
ActiveRecord in Ruby on Rails before 2.3.17, 3.1.x before 3.1.11, and 3.2.x before 3.2.12 allows remote attackers to bypass the attr_protected protection mechanism and modify protected model attribut… |
| CVE-2025-55193 |
unknown |
— |
— |
|
|
|
10mo ago |
Active Record connects classes to relational database tables. Prior to versions 7.1.5.2, 7.2.2.2, and 8.0.2.1, the ID passed to find or similar methods may be logged without escaping. If this is dire… |
| CVE-2021-22880 |
unknown |
— |
— |
|
|
|
5y ago |
The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validat… |
| CVE-2008-4094 |
unknown |
— |
— |
|
|
|
9y ago |
Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, A… |
