GCVE - cpe:2.3:a:rubyonrails:rails:1.1.1:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:rubyonrails:rails:1.1.1:*:*:*:*:*:*:*

part: a version: 1.1.1 update: *

Vendor	Rubyonrails (`a0962337-0e2d-518c-b84b-f2864721d062`)
Product	Rails (`4bc463b7-a5fc-5e2f-aea1-023dcfc59b73`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from NVD CPE 2.0 feed

PURL mappings

PURL	Source	Last updated
`pkg:gem/rails`	purl2cpe	2026-06-01 10:11:28.273910
`pkg:github/rails/rails`	purl2cpe	2026-06-01 10:11:28.273911

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2014-0081`	vulnerable	2026-06-03 14:33:36.651258	Details available Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage, or (c) number_to_human helper. Published: 2014-02-20T11:00:00.000Z Updated: 2024-08-06T09:05:38.984Z Open on db.gcve.eu Reference links http://rhn.redhat.com/errata/RHSA-2014-0215.html http://rhn.redhat.com/errata/RHSA-2014-0306.html http://www.securityfocus.com/bid/65647 http://www.securitytracker.com/id/1029782 http://openwall.com/lists/oss-security/2014/02/18/8	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2013-1857`	vulnerable	2026-06-03 14:32:52.248740	Details available The sanitize helper in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle encoded : (colon) characters in URLs, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted scheme name, as demonstrated by including a : sequence. Published: 2013-03-19T22:00:00.000Z Updated: 2024-08-06T15:20:35.190Z Open on db.gcve.eu Reference links http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html http://lists.opensuse.org/opensuse-updates/2014-01/msg00013.html http://lists.opensuse.org/opensuse-updates/2013-04/msg00073.html http://support.apple.com/kb/HT5784 http://rhn.redhat.com/errata/RHSA-2013-0698.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2013-1855`	vulnerable	2026-06-03 14:32:52.224727	Details available The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle \n (newline) characters, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences. Published: 2013-03-19T22:00:00.000Z Updated: 2024-08-06T15:20:35.175Z Open on db.gcve.eu Reference links http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html https://groups.google.com/group/rubyonrails-security/msg/8ed835a97cdd1afd?dmode=source&output=gplain http://lists.opensuse.org/opensuse-updates/2014-01/msg00013.html http://lists.opensuse.org/opensuse-updates/2013-04/msg00073.html http://support.apple.com/kb/HT5784	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2012-3465`	vulnerable	2026-06-03 14:31:58.505370	Details available Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/sanitize_helper.rb in the strip_tags helper in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via malformed HTML markup. Published: 2012-08-10T10:00:00.000Z Updated: 2024-08-06T20:05:12.646Z Open on db.gcve.eu Reference links http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released/ http://secunia.com/advisories/50694 http://rhn.redhat.com/errata/RHSA-2013-0154.html https://groups.google.com/group/rubyonrails-security/msg/7fbb5392d4d282b5?dmode=source&output=gplain	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2012-3464`	vulnerable	2026-06-03 14:31:58.478321	Details available Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 might allow remote attackers to inject arbitrary web script or HTML via vectors involving a ' (quote) character. Published: 2012-08-10T10:00:00.000Z Updated: 2024-08-06T20:05:12.658Z Open on db.gcve.eu Reference links http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released/ http://secunia.com/advisories/50694 http://rhn.redhat.com/errata/RHSA-2013-0154.html https://groups.google.com/group/rubyonrails-security/msg/8f1bbe1cef8c6caf?dmode=source&output=gplain	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2009-4214`	vulnerable	2026-06-03 14:29:56.824472	Details available Cross-site scripting (XSS) vulnerability in the strip_tags function in Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote attackers to inject arbitrary web script or HTML via vectors involving non-printing ASCII characters, related to HTML::Tokenizer and actionpack/lib/action_controller/vendor/html-scanner/html/node.rb. Published: 2009-12-07T17:00:00.000Z Updated: 2024-08-07T06:54:09.938Z Open on db.gcve.eu Reference links http://groups.google.com/group/rubyonrails-security/browse_thread/thread/4d4f71f2aef4c0ab?pli=1 http://secunia.com/advisories/37446 http://www.vupen.com/english/advisories/2009/3352 http://www.debian.org/security/2011/dsa-2301 http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2008-5189`	vulnerable	2026-06-03 14:29:08.123199	Details available CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL to the redirect_to function. Published: 2008-11-21T11:00:00.000Z Updated: 2024-08-07T10:40:17.237Z Open on db.gcve.eu Reference links http://github.com/rails/rails/commit/7282ed863ca7e6f928bae9162c9a63a98775a19d http://www.securityfocus.com/bid/32359 http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html http://weblog.rubyonrails.org/2008/10/19/rails-2-0-5-redirect_to-and-offset-limit-sanitizing http://weblog.rubyonrails.org/2008/10/19/response-splitting-risk	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2008-4094`	vulnerable	2026-06-03 14:28:56.962220	Details available Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer. Published: 2008-09-30T17:00:00.000Z Updated: 2024-08-07T10:00:42.864Z Open on db.gcve.eu Reference links http://gist.github.com/8946 https://exchange.xforce.ibmcloud.com/vulnerabilities/45109 http://www.openwall.com/lists/oss-security/2008/09/13/2 http://rails.lighthouseapp.com/projects/8994/tickets/964 http://rails.lighthouseapp.com/projects/8994/tickets/288	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2007-6077`	not_vulnerable	2026-06-03 14:28:28.490357	Details available The session fixation protection mechanism in cgi_process.rb in Rails 1.2.4, as used in Ruby on Rails, removes the :cookie_only attribute from the DEFAULT_SESSION_OPTIONS constant, which effectively causes cookie_only to be applied only to the first instantiation of CgiRequest, which allows remote attackers to conduct session fixation attacks. NOTE: this is due to an incomplete fix for CVE-2007-5380. Published: 2007-11-21T21:00:00.000Z Updated: 2024-08-07T15:54:26.389Z Open on db.gcve.eu Reference links http://www.vupen.com/english/advisories/2007/4238 http://www.us-cert.gov/cas/techalerts/TA07-352A.html http://secunia.com/advisories/28136 http://secunia.com/advisories/27781 http://dev.rubyonrails.org/changeset/8177	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2006-4112`	vulnerable	2026-06-03 14:27:36.751313	Details available Unspecified vulnerability in the "dependency resolution mechanism" in Ruby on Rails 1.1.0 through 1.1.5 allows remote attackers to execute arbitrary Ruby code via a URL that is not properly handled in the routing code, which leads to a denial of service (application hang) or "data loss," a different vulnerability than CVE-2006-4111. Published: 2006-08-14T21:00:00.000Z Updated: 2024-08-07T18:57:45.869Z Open on db.gcve.eu Reference links http://secunia.com/advisories/21466 http://secunia.com/advisories/21749 http://www.securityfocus.com/bid/19454 http://weblog.rubyonrails.org/2006/8/10/rails-1-1-6-backports-and-full-disclosure https://exchange.xforce.ibmcloud.com/vulnerabilities/28364	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2006-4111`	vulnerable	2026-06-03 14:27:36.743744	Details available Ruby on Rails before 1.1.5 allows remote attackers to execute Ruby code with "severe" or "serious" impact via a File Upload request with an HTTP header that modifies the LOAD_PATH variable, a different vulnerability than CVE-2006-4112. Published: 2006-08-14T21:00:00.000Z Updated: 2024-08-07T18:57:45.989Z Open on db.gcve.eu Reference links http://secunia.com/advisories/21466 http://secunia.com/advisories/21749 http://www.securityfocus.com/bid/19454 http://www.vupen.com/english/advisories/2006/3237 http://blog.koehntopp.de/archives/1367-Ruby-On-Rails-Mandatory-Mystery-Patch.html	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.