National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Contains Software Flaws (CVE)
  • Keyword (text search): Ruby
There are 423 matching records.
Displaying matches 241 through 260.
Vuln ID Summary CVSS Severity
CVE-2014-2888

lib/sfpagent/bsig.rb in the sfpagent gem before 0.4.15 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in the module name in a JSON request.

Published: April 23, 2014; 11:55:04 AM -04:00
    V2: 7.5 HIGH
CVE-2013-2105

The Show In Browser (show_in_browser) gem 0.0.3 for Ruby allows local users to inject arbitrary web script or HTML via a symlink attack on /tmp/browser.html.

Published: April 22, 2014; 10:23:33 AM -04:00
    V2: 3.3 LOW
CVE-2014-0036

The rbovirt gem before 0.0.24 for Ruby uses the rest-client gem with SSL verification disabled, which allows remote attackers to conduct man-in-the-middle attacks via unspecified vectors.

Published: April 17, 2014; 10:55:06 AM -04:00
    V2: 6.8 MEDIUM
CVE-2014-2538

Cross-site scripting (XSS) vulnerability in lib/rack/ssl.rb in the rack-ssl gem before 1.4.0 for Ruby allows remote attackers to inject arbitrary web script or HTML via a URI, which might not be properly handled by third-party adapters such as JRuby-Rack.

Published: March 25, 2014; 02:21:48 PM -04:00
    V2: 4.3 MEDIUM
CVE-2013-4413

Directory traversal vulnerability in controller/concerns/render_redirect.rb in the Wicked gem before 1.0.1 for Ruby allows remote attackers to read arbitrary files via a %2E%2E%2F (encoded dot dot slash) in the step.

Published: March 11, 2014; 03:37:02 PM -04:00
    V2: 5.0 MEDIUM
CVE-2014-0082

actionpack/lib/action_view/template/text.rb in Action View in Ruby on Rails 3.x before 3.2.17 converts MIME type strings to symbols during use of the :text option to the render method, which allows remote attackers to cause a denial of service (memory consumption) by including these strings in headers.

Published: February 20, 2014; 10:27:09 AM -05:00
    V2: 5.0 MEDIUM
CVE-2014-0081

Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage, or (c) number_to_human helper.

Published: February 20, 2014; 10:27:09 AM -05:00
    V2: 4.3 MEDIUM
CVE-2014-0080

SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/cast.rb in Active Record in Ruby on Rails 4.0.x before 4.0.3, and 4.1.0.beta1, when PostgreSQL is used, allows remote attackers to execute "add data" SQL commands via vectors involving \ (backslash) characters that are not properly handled in operations on array columns.

Published: February 20, 2014; 10:27:02 AM -05:00
    V2: 6.8 MEDIUM
CVE-2013-6443

CloudForms 3.0 Management Engine before 5.2.1.6 allows remote attackers to bypass the Ruby on Rails protect_from_forgery mechanism and conduct cross-site request forgery (CSRF) attacks via a destructive action in a request.

Published: January 22, 2014; 08:55:03 PM -05:00
    V2: 6.8 MEDIUM
CVE-2014-1234

The paratrooper-newrelic gem 1.0.1 for Ruby allows local users to obtain the X-Api-Key value by listing the curl process.

Published: January 10, 2014; 07:02:51 AM -05:00
    V2: 2.1 LOW
CVE-2014-1233

The paratrooper-pingdom gem 1.0.0 for Ruby allows local users to obtain the App-Key, username, and password values by listing the curl process.

Published: January 10, 2014; 07:02:51 AM -05:00
    V2: 2.1 LOW
CVE-2013-2119

Phusion Passenger gem before 3.0.21 and 4.0.x before 4.0.5 for Ruby allows local users to cause a denial of service (prevent application start) or gain privileges by pre-creating a temporary "config" file in a directory with a predictable name in /tmp/ before it is used by the gem.

Published: January 03, 2014; 01:54:11 PM -05:00
    V2: 4.6 MEDIUM
CVE-2013-6459

Cross-site scripting (XSS) vulnerability in the will_paginate gem before 3.0.5 for Ruby allows remote attackers to inject arbitrary web script or HTML via vectors involving generated pagination links.

Published: December 31, 2013; 11:04:23 AM -05:00
    V2: 4.3 MEDIUM
CVE-2013-7086

The message function in lib/webbynode/notify.rb in the Webbynode gem 1.0.5.3 and earlier for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a growlnotify message.

Published: December 18, 2013; 11:24:57 PM -05:00
    V2: 7.5 HIGH
CVE-2013-6421

The unpack_zip function in archive_unpacker.rb in the sprout gem 0.7.246 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a (1) filename or (2) path.

Published: December 12, 2013; 01:55:16 PM -05:00
    V2: 7.5 HIGH
CVE-2013-1812

The ruby-openid gem before 2.2.2 for Ruby allows remote OpenID providers to cause a denial of service (CPU consumption) via (1) a large XRDS document or (2) an XML Entity Expansion (XEE) attack.

Published: December 12, 2013; 01:55:10 PM -05:00
    V2: 4.3 MEDIUM
CVE-2013-4479

lib/sup/message_chunks.rb in Sup before 0.13.2.1 and 0.14.x before 0.14.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the content_type of an email attachment.

Published: December 07, 2013; 03:55:02 PM -05:00
    V2: 6.8 MEDIUM
CVE-2013-4478

Sup before 0.13.2.1 and 0.14.x before 0.14.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the filename of an email attachment.

Published: December 07, 2013; 03:55:02 PM -05:00
    V2: 6.8 MEDIUM
CVE-2013-6417

actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-0155.

Published: December 06, 2013; 07:55:03 PM -05:00
    V2: 6.4 MEDIUM
CVE-2013-6416

Cross-site scripting (XSS) vulnerability in the simple_format helper in actionpack/lib/action_view/helpers/text_helper.rb in Ruby on Rails 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted HTML attribute.

Published: December 06, 2013; 07:55:03 PM -05:00
    V2: 4.3 MEDIUM