rails 1.1.1

13 security vulnerabilities found in version 1.1.1

High Security Vulnerability with authenticate_with_http_digest of Rails

critical severity CVE-2009-2422
critical severity CVE-2009-2422
Patched versions: >= 2.3.3

The example code for the digest authentication functionality (http_authentication.rb) in Ruby on Rails before 2.3.3 defines an authenticate_or_request_with_http_digest block that returns nil instead of false when the user does not exist, which allows context-dependent attackers to bypass authentication for applications that are derived from this example by sending an invalid username without a password.

High severity vulnerability that affects rails

high severity CVE-2008-4094
high severity CVE-2008-4094
Affected versions: < 2.1.1

Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer.

Moderate severity vulnerability that affects rails

high severity CVE-2007-6077
high severity CVE-2007-6077
Patched versions: >= 1.2.6

The session fixation protection mechanism in cgi_process.rb in Rails 1.2.4, as used in Ruby on Rails, removes the :cookie_only attribute from the DEFAULT_SESSION_OPTIONS constant, which effectively causes cookie_only to be applied only to the first instantiation of CgiRequest, which allows remote attackers to conduct session fixation attacks.

NOTE: this is due to an incomplete fix for CVE-2007-5380.

Moderate severity vulnerability that affects rails

high severity CVE-2007-5380
high severity CVE-2007-5380
Patched versions: >= 1.2.4

Session fixation vulnerability in Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers to hijack web sessions via unspecified vectors related to "URL-based sessions."

High severity vulnerability that affects rails.

high severity CVE-2006-4112
high severity CVE-2006-4112
Patched versions: >= 1.1.6
Unaffected versions: < 1.1.0

Unspecified vulnerability in the "dependency resolution mechanism" in Ruby on Rails 1.1.0 through 1.1.5 allows remote attackers to execute arbitrary Ruby code via a URL that is not properly handled in the routing code, which leads to a denial of service (application hang) or "data loss," a different vulnerability than CVE-2006-4111.

High severity vulnerability that affects rails

high severity CVE-2006-4111
high severity CVE-2006-4111
Patched versions: >= 1.1.6
Unaffected versions: < 1.1.0

Ruby on Rails before 1.1.5 allows remote attackers to execute Ruby code with "severe" or "serious" impact via a File Upload request with an HTTP header that modifies the LOAD_PATH variable, a different vulnerability than CVE-2006-4112.

Rails vulnerable to Cross-site Scripting

medium severity CVE-2014-0081
medium severity CVE-2014-0081
Patched versions: ~> 3.2.17, ~> 4.0.3, ~> 4.1.0.beta2, >= 4.1.0

Multiple cross-site scripting (XSS) vulnerabilities in "actionview/lib/action_view/helpers/number_helper.rb" in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage, or (c) number_to_human helper.

Cross site scripting in rails

medium severity CVE-2011-1497
medium severity CVE-2011-1497
Affected versions: < 3.0.6

A cross-site scripting vulnerability flaw was found in the auto_link function in Rails before version 3.0.6.

Moderate severity vulnerability that affects rails

medium severity CVE-2011-0446
medium severity CVE-2011-0446
Affected versions: < 2.3.11

Multiple cross-site scripting (XSS) vulnerabilities in the mail_to helper in Ruby on Rails before 2.3.11, and 3.x before 3.0.4, when javascript encoding is used, allow remote attackers to inject arbitrary web script or HTML via a crafted (1) name or (2) email value.

Moderate severity XSS vulnerability that affects rails

medium severity CVE-2009-4214
medium severity CVE-2009-4214
Patched versions: ~> 2.2.2, >= 2.3.5

Cross-site scripting (XSS) vulnerability in the strip_tags function in Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote attackers to inject arbitrary web script or HTML via vectors involving non-printing ASCII characters,related to HTML::Tokenizer and actionpack/lib/action_controller/vendor/html-scanner/html/node.rb.

Moderate severity vulnerability that affects rails

medium severity CVE-2008-5189
medium severity CVE-2008-5189
Patched versions: >= 2.0.5

CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL to the redirect_to function.

Moderate severity vulnerability that affects rails

medium severity CVE-2007-5379
medium severity CVE-2007-5379
Patched versions: >= 1.2.5

Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers and ActiveResource servers to determine the existence of arbitrary files and read arbitrary XML files via the Hash.from_xml (Hash#from_xml) method, which uses XmlSimple (XML::Simple) unsafely, as demonstrated by reading passwords from the Pidgin (Gaim) .purple/accounts.xml file.

Moderate severity vulnerability that affects rails

medium severity CVE-2007-3227
medium severity CVE-2007-3227
Patched versions: >= 1.2.5

Cross-site scripting (XSS) vulnerability in the to_json (ActiveRecord::Base#to_json) function in Ruby on Rails before edge 9606 allows remote attackers to inject arbitrary web script via the input values.

No officially reported memory leakage issues detected.


This gem version does not have any officially reported memory leaked issues.

Author did not declare license for this gem in the gemspec.


This gem version has a MIT license in the source code, however it was not declared in the gemspec file.

This gem version is available.


This gem version has not been yanked and is still available for usage.