See on RubyGems

rails 1.2.6

7 security vulnerabilities found in version 1.2.6

High Security Vulnerability with authenticate_with_http_digest of Rails

critical severity CVE-2009-2422
critical severity CVE-2009-2422
Patched versions: >= 2.3.3

The example code for the digest authentication functionality (http_authentication.rb) in Ruby on Rails before 2.3.3 defines an authenticate_or_request_with_http_digest block that returns nil instead of false when the user does not exist, which allows context-dependent attackers to bypass authentication for applications that are derived from this example by sending an invalid username without a password.

High severity vulnerability that affects rails

high severity CVE-2008-4094
high severity CVE-2008-4094
Affected versions: < 2.1.1

Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer.

Rails vulnerable to Cross-site Scripting

medium severity CVE-2014-0081
medium severity CVE-2014-0081
Patched versions: ~> 3.2.17, ~> 4.0.3, ~> 4.1.0.beta2, >= 4.1.0

Multiple cross-site scripting (XSS) vulnerabilities in "actionview/lib/action_view/helpers/number_helper.rb" in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage, or (c) number_to_human helper.

Cross site scripting in rails

medium severity CVE-2011-1497
medium severity CVE-2011-1497
Affected versions: < 3.0.6

A cross-site scripting vulnerability flaw was found in the auto_link function in Rails before version 3.0.6.

Moderate severity vulnerability that affects rails

medium severity CVE-2011-0446
medium severity CVE-2011-0446
Affected versions: < 2.3.11

Multiple cross-site scripting (XSS) vulnerabilities in the mail_to helper in Ruby on Rails before 2.3.11, and 3.x before 3.0.4, when javascript encoding is used, allow remote attackers to inject arbitrary web script or HTML via a crafted (1) name or (2) email value.

Moderate severity XSS vulnerability that affects rails

medium severity CVE-2009-4214
medium severity CVE-2009-4214
Patched versions: ~> 2.2.2, >= 2.3.5

Cross-site scripting (XSS) vulnerability in the strip_tags function in Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote attackers to inject arbitrary web script or HTML via vectors involving non-printing ASCII characters,related to HTML::Tokenizer and actionpack/lib/action_controller/vendor/html-scanner/html/node.rb.

Moderate severity vulnerability that affects rails

medium severity CVE-2008-5189
medium severity CVE-2008-5189
Patched versions: >= 2.0.5

CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL to the redirect_to function.

No officially reported memory leakage issues detected.

This gem version does not have any officially reported memory leaked issues.

Gem version without a license.

Unless a license that specifies otherwise is included, nobody can use, copy, distribute, or modify this library without being at risk of take-downs, shake-downs, or litigation.

This gem version is available.

This gem version has not been yanked and is still available for usage.