Vulnerabilities (CVE)

  1. OpenCVE
  2. Vulnerabilities (CVE)
Filtered by vendor Rubyonrails Subscribe
Filtered by product Ruby On Rails

CVSS v3 Filter

ALL
NONE (0.0) LOW (0.1 - 3.9) MEDIUM (4.0 - 6.9) HIGH (7.0 - 8.9) CRITICAL (9.0 - 10.0)

Search

Total 56 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2008-4094 1 Rubyonrails 2 Rails, Ruby On Rails 2019-08-08 7.5 HIGH N/A
Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer.
CVE-2006-4111 1 Rubyonrails 2 Rails, Ruby On Rails 2019-08-08 7.5 HIGH N/A
Ruby on Rails before 1.1.5 allows remote attackers to execute Ruby code with "severe" or "serious" impact via a File Upload request with an HTTP header that modifies the LOAD_PATH variable, a different vulnerability than CVE-2006-4112.
CVE-2017-17920 1 Rubyonrails 1 Ruby On Rails 2018-01-10 6.8 MEDIUM 8.1 HIGH
** DISPUTED ** SQL injection vulnerability in the 'reorder' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'name' parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input.
CVE-2017-17919 1 Rubyonrails 1 Ruby On Rails 2018-01-10 6.8 MEDIUM 8.1 HIGH
** DISPUTED ** SQL injection vulnerability in the 'order' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'id desc' parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input.
CVE-2017-17917 1 Rubyonrails 1 Ruby On Rails 2018-01-10 6.8 MEDIUM 8.1 HIGH
** DISPUTED ** SQL injection vulnerability in the 'where' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'id' parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input.
CVE-2017-17916 1 Rubyonrails 1 Ruby On Rails 2018-01-10 6.8 MEDIUM 8.1 HIGH
** DISPUTED ** SQL injection vulnerability in the 'find_by' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'name' parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input.