National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Contains Software Flaws (CVE)
  • Keyword (text search): Ruby
There are 423 matching records.
Displaying matches 361 through 380.
Vuln ID Summary CVSS Severity
CVE-2011-0446

Multiple cross-site scripting (XSS) vulnerabilities in the mail_to helper in Ruby on Rails before 2.3.11, and 3.x before 3.0.4, when javascript encoding is used, allow remote attackers to inject arbitrary web script or HTML via a crafted (1) name or (2) email value.

Published: February 14, 2011; 04:00:03 PM -05:00
    V2: 4.3 MEDIUM
CVE-2011-0739

The deliver function in the sendmail delivery agent (lib/mail/network/delivery_methods/sendmail.rb) in Ruby Mail gem 2.2.14 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in an e-mail address.

Published: February 01, 2011; 08:00:07 PM -05:00
    V2: 6.8 MEDIUM
CVE-2010-3928

Ruby Version Manager (RVM) before 1.2.1 writes file contents to a terminal without sanitizing non-printable characters, which might allow remote attackers to execute arbitrary commands via a crafted file, related to an "escape sequence injection vulnerability." NOTE: some of these details are obtained from third party information.

Published: January 20, 2011; 02:00:04 PM -05:00
    V2: 6.8 MEDIUM
CVE-2010-3933

Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs.

Published: October 27, 2010; 08:00:05 PM -04:00
    V2: 6.4 MEDIUM
CVE-2010-3119

Google Chrome before 5.0.375.127 and webkitgtk before 1.2.6 do not properly support the Ruby language, which allows attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors.

Published: August 24, 2010; 04:00:02 PM -04:00
    V2: 10.0 HIGH
CVE-2010-2489

Buffer overflow in Ruby 1.9.x before 1.9.1-p429 on Windows might allow local users to gain privileges via a crafted ARGF.inplace_mode value that is not properly handled when constructing the filenames of the backup files.

Published: July 12, 2010; 09:27:27 AM -04:00
    V2: 7.2 HIGH
CVE-2010-0541

Cross-site scripting (XSS) vulnerability in the WEBrick HTTP server in Ruby in Apple Mac OS X 10.5.8, and 10.6 before 10.6.4, allows remote attackers to inject arbitrary web script or HTML via a crafted URI that triggers a UTF-7 error page.

Published: June 17, 2010; 12:30:01 PM -04:00
    V2: 4.3 MEDIUM
CVE-2010-0647

WebKit before r53525, as used in Google Chrome before 4.0.249.89, allows remote attackers to execute arbitrary code in the Chrome sandbox via a malformed RUBY element, as demonstrated by a <ruby>><table><rt> sequence.

Published: February 18, 2010; 01:00:00 PM -05:00
    V2: 9.3 HIGH
CVE-2009-4492

WEBrick 1.3.1 in Ruby 1.8.6 through patchlevel 383, 1.8.7 through patchlevel 248, 1.8.8dev, 1.9.1 through patchlevel 376, and 1.9.2dev writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator.

Published: January 13, 2010; 03:30:00 PM -05:00
    V2: 5.0 MEDIUM
CVE-2008-7248

Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify tokens for requests with certain content types, which allows remote attackers to bypass cross-site request forgery (CSRF) protection for requests to applications that rely on this protection, as demonstrated using text/plain.

Published: December 15, 2009; 08:30:00 PM -05:00
    V2: 6.8 MEDIUM
CVE-2009-4124

Heap-based buffer overflow in the rb_str_justify function in string.c in Ruby 1.9.1 before 1.9.1-p376 allows context-dependent attackers to execute arbitrary code via unspecified vectors involving (1) String#ljust, (2) String#center, or (3) String#rjust. NOTE: some of these details are obtained from third party information.

Published: December 11, 2009; 11:30:00 AM -05:00
    V2: 10.0 HIGH
CVE-2009-4214

Cross-site scripting (XSS) vulnerability in the strip_tags function in Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote attackers to inject arbitrary web script or HTML via vectors involving non-printing ASCII characters, related to HTML::Tokenizer and actionpack/lib/action_controller/vendor/html-scanner/html/node.rb.

Published: December 07, 2009; 12:30:00 PM -05:00
    V2: 4.3 MEDIUM
CVE-2009-4079

Cross-site request forgery (CSRF) vulnerability in Redmine 0.8.5 and earlier allows remote attackers to hijack the authentication of users for requests that delete a ticket via unspecified vectors.

Published: November 25, 2009; 05:00:00 PM -05:00
    V2: 6.8 MEDIUM
CVE-2009-4078

Multiple cross-site scripting (XSS) vulnerabilities in Redmine 0.8.5 and earlier allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Published: November 25, 2009; 05:00:00 PM -05:00
    V2: 4.3 MEDIUM
CVE-2009-3857

Buffer overflow in Softonic International SciTE 1.72 allows user-assisted remote attackers to cause a denial of service (application crash) via a Ruby (.rb) file containing a long string, which triggers the crash when a scroll bar is used.

Published: November 04, 2009; 12:30:00 PM -05:00
    V2: 4.3 MEDIUM
CVE-2009-3086

A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x before 2.3.4, leaks information about the complexity of message-digest signature verification in the cookie store, which might allow remote attackers to forge a digest via multiple attempts.

Published: September 08, 2009; 02:30:00 PM -04:00
    V2: 5.0 MEDIUM
CVE-2009-3009

Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings into a form helper.

Published: September 08, 2009; 02:30:00 PM -04:00
    V2: 4.3 MEDIUM
CVE-2009-2422

The example code for the digest authentication functionality (http_authentication.rb) in Ruby on Rails before 2.3.3 defines an authenticate_or_request_with_http_digest block that returns nil instead of false when the user does not exist, which allows context-dependent attackers to bypass authentication for applications that are derived from this example by sending an invalid username without a password.

Published: July 10, 2009; 11:30:00 AM -04:00
    V2: 7.5 HIGH
CVE-2009-1904

The BigDecimal library in Ruby 1.8.6 before p369 and 1.8.7 before p173 allows context-dependent attackers to cause a denial of service (application crash) via a string argument that represents a large number, as demonstrated by an attempted conversion to the Float data type.

Published: June 11, 2009; 05:30:00 PM -04:00
    V2: 5.0 MEDIUM
CVE-2009-0161

The OpenSSL::OCSP module for Ruby in Apple Mac OS X 10.5 before 10.5.7 misinterprets an unspecified invalid response as a successful OCSP certificate validation, which might allow remote attackers to spoof certificate authentication via a revoked certificate.

Published: May 13, 2009; 11:30:00 AM -04:00
    V2: 6.4 MEDIUM