Search Results (Refine Search)

Search Parameters:
  • CPE Product Version: cpe:/a:rubyonrails:rails:1.2.2
There are 25 matching records.
Displaying matches 21 through 25.
Vuln ID Summary CVSS Severity
CVE-2012-3464

Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 might allow remote attackers to inject arbitrary web script or HTML via vectors involving a ' (quote) character.

Published: August 10, 2012; 6:34:47 AM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2009-4214

Cross-site scripting (XSS) vulnerability in the strip_tags function in Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote attackers to inject arbitrary web script or HTML via vectors involving non-printing ASCII characters, related to HTML::Tokenizer and actionpack/lib/action_controller/vendor/html-scanner/html/node.rb.

Published: December 07, 2009; 12:30:00 PM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2008-5189

CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL to the redirect_to function.

Published: November 21, 2008; 7:00:00 AM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2008-4094

Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer.

Published: September 30, 2008; 1:22:09 PM -0400
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2007-6077

The session fixation protection mechanism in cgi_process.rb in Rails 1.2.4, as used in Ruby on Rails, removes the :cookie_only attribute from the DEFAULT_SESSION_OPTIONS constant, which effectively causes cookie_only to be applied only to the first instantiation of CgiRequest, which allows remote attackers to conduct session fixation attacks. NOTE: this is due to an incomplete fix for CVE-2007-5380.

Published: November 21, 2007; 4:46:00 PM -0500
V3.x:(not available)
V2.0: 6.8 MEDIUM