Show filters
25 Total Results
Displaying 21-25 of 25
Sort by:
Attacker Value
Unknown

CVE-2011-0447

Disclosure Date: February 14, 2011 (last updated October 04, 2023)
Ruby on Rails 2.1.x, 2.2.x, and 2.3.x before 2.3.11, and 3.x before 3.0.4, does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged (1) AJAX or (2) API requests that leverage "combinations of browser plugins and HTTP redirects," a related issue to CVE-2011-0696.
0
Attacker Value
Unknown

CVE-2011-0446

Disclosure Date: February 14, 2011 (last updated October 04, 2023)
Multiple cross-site scripting (XSS) vulnerabilities in the mail_to helper in Ruby on Rails before 2.3.11, and 3.x before 3.0.4, when javascript encoding is used, allow remote attackers to inject arbitrary web script or HTML via a crafted (1) name or (2) email value.
0
Attacker Value
Unknown

CVE-2009-4214

Disclosure Date: December 07, 2009 (last updated October 04, 2023)
Cross-site scripting (XSS) vulnerability in the strip_tags function in Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote attackers to inject arbitrary web script or HTML via vectors involving non-printing ASCII characters, related to HTML::Tokenizer and actionpack/lib/action_controller/vendor/html-scanner/html/node.rb.
0
Attacker Value
Unknown

CVE-2009-3086

Disclosure Date: September 08, 2009 (last updated October 04, 2023)
A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x before 2.3.4, leaks information about the complexity of message-digest signature verification in the cookie store, which might allow remote attackers to forge a digest via multiple attempts.
0
Attacker Value
Unknown

CVE-2009-3009

Disclosure Date: September 08, 2009 (last updated October 04, 2023)
Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings into a form helper.
0