Rubyonrails Ruby On Rails — known CVE vulnerabilities
Every CVE whose affected-product data names Rubyonrails Ruby On Rails, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (49)
CVE-2013-0277 — CVSS 10.0 (critical): ActiveRecord in Ruby on Rails before 2.3.17 and 3.x before 3.1.0 allows remote attackers to cause a denial of service or execute arbitrary…
CVE-2009-2422 — CVSS 9.8 (critical): The example code for the digest authentication functionality (http_authentication.rb) in Ruby on Rails before 2.3.3 defines an…
CVE-2017-17919 — CVSS 8.1 (high): SQL injection vulnerability in the 'order' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL…
CVE-2017-17920 — CVSS 8.1 (high): SQL injection vulnerability in the 'reorder' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL…
CVE-2012-6496 — CVSS 7.5 (high): SQL injection vulnerability in the Active Record component in Ruby on Rails before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10…
CVE-2008-4094 — CVSS 7.5 (high): Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1)…
CVE-2011-2930 — CVSS 7.5 (high): Multiple SQL injection vulnerabilities in the quote_table_name method in the ActiveRecord adapters in activerecord/lib/active_record/connect…
CVE-2016-0751 — CVSS 7.5 (high): actionpack/lib/action_dispatch/http/mime_type.rb in Action Pack in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x…
CVE-2006-4111 — CVSS 7.5 (high): Ruby on Rails before 1.1.5 allows remote attackers to execute Ruby code with "severe" or "serious" impact via a File Upload request with an…
CVE-2014-3482 — CVSS 7.5 (high): SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb in the PostgreSQL adapter for…
CVE-2013-0333 — CVSS 7.5 (high): lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data…
CVE-2012-2695 — CVSS 7.5 (high): The Active Record component in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the…
CVE-2013-0156 — CVSS 7.5 (high): active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before…
CVE-2016-2098 — CVSS 7.3 (high): Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary…
CVE-2013-6417 — CVSS 6.4 (medium): actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences…
CVE-2012-2660 — CVSS 6.4 (medium): actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly…
CVE-2013-3221 — CVSS 6.4 (medium): The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, and 3.2.x does not ensure that the declared data type of a database…
CVE-2013-0155 — CVSS 6.4 (medium): Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly consider differences in parameter…
CVE-2016-6316 — CVSS 6.1 (medium): Cross-site scripting (XSS) vulnerability in Action View in Ruby on Rails 3.x before 3.2.22.3, 4.x before 4.2.7.1, and 5.x before 5.0.0.1…
CVE-2013-1856 — CVSS 5.8 (medium): The ActiveSupport::XmlMini_JDOM backend in lib/active_support/xml_mini/jdom.rb in the Active Support component in Ruby on Rails 3.0.x and…
CVE-2015-7577 — CVSS 5.3 (medium): activerecord/lib/active_record/nested_attributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x…
CVE-2016-2097 — CVSS 5.3 (medium): Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.2 and 4.x before 4.1.14.2 allows remote attackers to read…
CVE-2013-6414 — CVSS 5.0 (medium): actionpack/lib/action_view/lookup_context.rb in Action View in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers…
CVE-2013-1854 — CVSS 5.0 (medium): The Active Record component in Ruby on Rails 2.3.x before 2.3.18, 3.1.x before 3.1.12, and 3.2.x before 3.2.13 processes certain queries by…
CVE-2014-7829 — CVSS 5.0 (medium): Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.21…
CVE-2012-3424 — CVSS 5.0 (medium): The decode_credentials method in actionpack/lib/action_controller/metal/http_authentication.rb in Ruby on Rails 3.x before 3.0.16, 3.1.x…
CVE-2011-2929 — CVSS 5.0 (medium): The template selection functionality in actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.10 and 3.1.x…
CVE-2012-2661 — CVSS 5.0 (medium): The Active Record component in Ruby on Rails 3.0.x before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly implement…
CVE-2014-0082 — CVSS 5.0 (medium): actionpack/lib/action_view/template/text.rb in Action View in Ruby on Rails 3.x before 3.2.17 converts MIME type strings to symbols during…
CVE-2008-5189 — CVSS 5.0 (medium): CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP…
CVE-2012-1098 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote…
CVE-2014-0081 — CVSS 4.3 (medium): Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.17…
CVE-2011-4319 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in the i18n translations helper method in Ruby on Rails 3.0.x before 3.0.11 and 3.1.x before…
CVE-2014-7818 — CVSS 4.3 (medium): Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.20…
CVE-2015-3226 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in json/encoding.rb in Active Support in Ruby on Rails 3.x and 4.1.x before 4.1.11 and 4.2.x…
CVE-2011-2932 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails 2.x before…
CVE-2011-2931 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in the strip_tags helper in actionpack/lib/action_controller/vendor/html-scanner/html/node.rb in…
CVE-2012-3465 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/sanitize_helper.rb in the strip_tags helper in Ruby on Rails…
CVE-2012-3463 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_tag_helper.rb in Ruby on Rails 3.x before 3.0.17, 3.1.x…
CVE-2012-2694 — CVSS 4.3 (medium): actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly…
CVE-2013-1855 — CVSS 4.3 (medium): The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before…
CVE-2013-1857 — CVSS 4.3 (medium): The sanitize helper in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before…
CVE-2012-1099 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_options_helper.rb in the select helper in Ruby on Rails…
CVE-2013-4491 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/translation_helper.rb in the internationalization component…
CVE-2013-6415 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in the number_to_currency helper in actionpack/lib/action_view/helpers/number_helper.rb in Ruby on…
CVE-2012-3464 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails before…
CVE-2011-2197 — CVSS 4.3 (medium): The cross-site scripting (XSS) prevention feature in Ruby on Rails 2.x before 2.3.12, 3.0.x before 3.0.8, and 3.1.x before 3.1.0.rc2 does…
CVE-2009-4214 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in the strip_tags function in Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote…
CVE-2015-7576 — CVSS 3.7 (low): The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication…