| CVE-2013-0333 |
high |
— |
8.5 |
|
|
|
14y ago |
lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows re… |
| CVE-2023-22796 |
high |
— |
8.0 |
|
|
|
3y ago |
A regular expression based DoS vulnerability in Active Support <6.1.7.1 and <7.0.4.1. A specially crafted string passed to the underscore method can cause the regular expression engine to enter a sta… |
| CVE-2013-1856 |
medium |
— |
5.8 |
|
|
|
13y ago |
The ActiveSupport::XmlMini_JDOM backend in lib/active_support/xml_mini/jdom.rb in the Active Support component in Ruby on Rails 3.0.x and 3.1.x before 3.1.12 and 3.2.x before 3.2.13, when JRuby is us… |
| CVE-2026-33170 |
medium |
— |
5.5 |
|
|
|
2mo ago |
Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, `SafeBuffer#%` does not propagate the `@… |
| CVE-2026-33176 |
medium |
— |
5.5 |
|
|
|
2mo ago |
Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Support number helpers accept str… |
| CVE-2026-33169 |
medium |
— |
5.5 |
|
|
|
2mo ago |
Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. `NumberToDelimitedConverter` uses a lookahead-based regular expression with `gsub!` to in… |
| CVE-2015-3227 |
medium |
— |
5.0 |
|
|
|
11y ago |
The (1) jdom.rb and (2) rexml.rb components in Active Support in Ruby on Rails before 4.1.11 and 4.2.x before 4.2.2, when JDOM or REXML is enabled, allow remote attackers to cause a denial of service… |
| CVE-2011-2932 |
medium |
— |
4.3 |
|
|
|
9y ago |
Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails 2.x before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow… |
| CVE-2011-2197 |
medium |
— |
4.3 |
|
|
|
9y ago |
The cross-site scripting (XSS) prevention feature in Ruby on Rails 2.x before 2.3.12, 3.0.x before 3.0.8, and 3.1.x before 3.1.0.rc2 does not properly handle mutation of safe buffers, which makes it … |
| CVE-2015-3226 |
medium |
— |
4.3 |
|
|
|
11y ago |
Cross-site scripting (XSS) vulnerability in json/encoding.rb in Active Support in Ruby on Rails 3.x and 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web scri… |
| CVE-2012-3464 |
medium |
— |
4.3 |
|
|
|
14y ago |
Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 might allow re… |
| CVE-2012-1098 |
medium |
— |
4.3 |
|
|
|
15y ago |
Cross-site scripting (XSS) vulnerability in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors in… |
| CVE-2023-38037 |
unknown |
— |
— |
|
|
|
3y ago |
ActiveSupport::EncryptedFile writes contents that will be encrypted to a
temporary file. The temporary file's permissions are defaulted to the user's
current `umask` settings, meaning that it's po… |
| CVE-2023-28120 |
unknown |
— |
— |
|
|
|
3y ago |
There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input. |
| CVE-2020-8165 |
unknown |
— |
— |
|
|
|
6y ago |
A deserialization of untrusted data vulnernerability exists in rails < 5.2.4.3, rails < 6.0.3.1 that can allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore pote… |
| CVE-2009-3009 |
unknown |
— |
— |
|
|
|
9y ago |
Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings… |
| CVE-2009-3086 |
unknown |
— |
— |
|
|
|
9y ago |
A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x before 2.3.4, leaks information about the complexity of message-digest signature verification in the cookie store, which might allo… |
