Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
ruby on rails vulnerabilities and exploits
(subscribe to this query)
4.3
CVSSv2
CVE-2015-7578
Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem prior to 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote malicious users to inject arbitrary web script or HTML via crafted tag attributes.
Rubyonrails Html Sanitizer
9.3
CVSSv2
CVE-2014-6140
IBM Tivoli Endpoint Manager Mobile Device Management (MDM) prior to 9.0.60100 uses the same secret HMAC token across different customers' installations, which allows remote malicious users to execute arbitrary code via crafted marshalled Ruby objects in cookies to (1) Enroll...
Ibm Tivoli Endpoint Manager Mobile Device Management
NA
CVE-2023-27539
Several vulnerabilities were discovered in ruby-rack, a modular Ruby webserver interface, which may result in denial of service and shell escape sequence injection. For the oldstable distribution (bullseye), these problems have been fixed in version 2.1.4-3+deb11u1. We recommend ...
6.8
CVSSv2
CVE-2013-6443
CloudForms 3.0 Management Engine prior to 5.2.1.6 allows remote malicious users to bypass the Ruby on Rails protect_from_forgery mechanism and conduct cross-site request forgery (CSRF) attacks via a destructive action in a request.
Redhat Cloudforms 3.0
Redhat Cloudforms 3.0 Management Engine 5.2
Redhat Cloudforms 3.0 Management Engine
6.8
CVSSv2
CVE-2015-9284
The request phase of the OmniAuth Ruby gem (1.9.1 and previous versions) is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a ...
Omniauth Omniauth
16 Github repositories
5
CVSSv2
CVE-2019-25025
The activerecord-session_store (aka Active Record Session Store) component up to and including 1.1.3 for Ruby on Rails does not use a constant-time approach when delivering information about whether a guessed session ID is valid. Consequently, remote attackers can leverage timing...
Rubyonrails Active Record Session Store
2 Github repositories
7.5
CVSSv2
CVE-2013-0269
The JSON gem prior to 1.5.5, 1.6.x prior to 1.6.8, and 1.7.x prior to 1.7.7 for Ruby allows remote malicious users to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbi...
Rubygems Json Gem 1.7.1
Rubygems Json Gem 1.7.0
Rubygems Json Gem 1.6.1
Rubygems Json Gem 1.6.0
Rubygems Json Gem 1.7.6
Rubygems Json Gem 1.7.5
Rubygems Json Gem 1.6.5
Rubygems Json Gem 1.6.4
Rubygems Json Gem 1.5.2
Rubygems Json Gem 1.5.1
Rubygems Json Gem 1.7.4
Rubygems Json Gem 1.7.3
Rubygems Json Gem 1.7.2
Rubygems Json Gem 1.6.3
Rubygems Json Gem 1.6.2
Rubygems Json Gem 1.5.0
Rubygems Json Gem 1.6.7
Rubygems Json Gem 1.6.6
Rubygems Json Gem 1.5.4
Rubygems Json Gem 1.5.3
1 Github repository
NA
CVE-2023-30614
Pay is a payments engine for Ruby on Rails 6.0 and higher. In versions before 6.3.2 a payments info page of Pay is susceptible to reflected Cross-site scripting. An attacker could create a working URL that renders a javascript link to a user on a Rails application that integrates...
Pay Project Pay
4
CVSSv2
CVE-2020-26223
Spree is a complete open source e-commerce solution built with Ruby on Rails. In Spree from version 3.7 and prior to 3.7.13, 4.0.5, and 4.1.12, there is an authorization bypass vulnerability. The perpetrator could query the API v2 Order Status endpoint with an empty string passed...
Spreecommerce Spree
NA
CVE-2023-36465
Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. The `templates` module doesn't enforce the correct permissions, allowing any logged-in user to access to...
Decidim Decidim
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
path traversal
CVE-2024-26978
CVE-2024-26982
wireless
CVE-2023-6949
CVE-2024-26980
CVE-2024-32766
CVE-2024-26939
cache poisoning
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
4
5
6
7
8
9
10
NEXT »