Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Ruby_on_rails
(Rubyonrails)| Repositories | https://github.com/rails/rails |
| #Vulnerabilities | 50 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2008-09-30 | CVE-2008-4094 | Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer. | Rails, Ruby_on_rails | N/A | ||
| 2007-11-21 | CVE-2007-6077 | The session fixation protection mechanism in cgi_process.rb in Rails 1.2.4, as used in Ruby on Rails, removes the :cookie_only attribute from the DEFAULT_SESSION_OPTIONS constant, which effectively causes cookie_only to be applied only to the first instantiation of CgiRequest, which allows remote attackers to conduct session fixation attacks. NOTE: this is due to an incomplete fix for CVE-2007-5380. | Rails, Ruby_on_rails | N/A | ||
| 2006-08-14 | CVE-2006-4111 | Ruby on Rails before 1.1.5 allows remote attackers to execute Ruby code with "severe" or "serious" impact via a File Upload request with an HTTP header that modifies the LOAD_PATH variable, a different vulnerability than CVE-2006-4112. | Rails, Ruby_on_rails | N/A |