Published: 20/08/2014 Updated: 08/08/2019
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
VMScore: 668
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Summary

activerecord/lib/active_record/relation/query_methods.rb in Active Record in Ruby on Rails 4.0.x prior to 4.0.9 and 4.1.x prior to 4.1.5 allows remote malicious users to bypass the strong parameters protection mechanism via crafted input to an application that makes create_with calls.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.
Vulnerable Product Search on Vulmon Subscribe to Product

rubyonrails rails 4.0.0

rubyonrails rails 4.0.2

rubyonrails rails 4.0.3

rubyonrails rails 4.0.7

rubyonrails rails 4.1.0

rubyonrails rails 4.1.3

rubyonrails rails 4.1.4

rubyonrails rails 4.0.8

rubyonrails rails 4.0.1

rubyonrails rails 4.0.6

rubyonrails rails 4.1.2

rubyonrails rails 4.0.4

rubyonrails rails 4.0.5

rubyonrails rails 4.1.1

Vendor Advisories

It was discovered that Active Record's create_with method failed to properly check attributes passed to it A remote attacker could possibly use this flaw to bypass the strong parameter protection and modify arbitrary model attributes via mass assignment if an application using Active Record called create_with with untrusted values ...

Github Repositories

The database powering "can I hack".

Can I hack database The database powering "can I hack" Contribute Fork the repository Do your thing Send a pull request and bug me until I merge it! Format { "name": "Ruby on Rails", "versions": [ "420beta2", "420beta1", "416", "416rc2", "416rc1", "415&quo