GCVE - cpe:2.3:a:rubyonrails:rails:2.0.2:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:rubyonrails:rails:2.0.2:*:*:*:*:*:*:*

part: a version: 2.0.2 update: *

Vendor	Rubyonrails (`a0962337-0e2d-518c-b84b-f2864721d062`)
Product	Rails (`4bc463b7-a5fc-5e2f-aea1-023dcfc59b73`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from NVD CPE 2.0 feed

PURL mappings

PURL	Source	Last updated
`pkg:gem/rails`	purl2cpe	2026-06-01 10:11:28.273981
`pkg:github/rails/rails`	purl2cpe	2026-06-01 10:11:28.273983

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2014-3482`	vulnerable	2026-06-03 14:33:54.709431	Details available SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 2.x and 3.x before 3.2.19 allows remote attackers to execute arbitrary SQL commands by leveraging improper bitstring quoting. Published: 2014-07-07T10:00:00.000Z Updated: 2024-08-06T10:43:06.174Z Open on db.gcve.eu Reference links http://www.securityfocus.com/bid/68343 http://secunia.com/advisories/59973 http://openwall.com/lists/oss-security/2014/07/02/5 https://groups.google.com/forum/message/raw?msg=rubyonrails-security/wDxePLJGZdI/WP7EasCJTA4J http://secunia.com/advisories/60214	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2014-0081`	vulnerable	2026-06-03 14:33:36.660311	Details available Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage, or (c) number_to_human helper. Published: 2014-02-20T11:00:00.000Z Updated: 2024-08-06T09:05:38.984Z Open on db.gcve.eu Reference links http://rhn.redhat.com/errata/RHSA-2014-0215.html http://rhn.redhat.com/errata/RHSA-2014-0306.html http://www.securityfocus.com/bid/65647 http://www.securitytracker.com/id/1029782 http://openwall.com/lists/oss-security/2014/02/18/8	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2013-1857`	vulnerable	2026-06-03 14:32:52.249033	Details available The sanitize helper in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle encoded : (colon) characters in URLs, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted scheme name, as demonstrated by including a : sequence. Published: 2013-03-19T22:00:00.000Z Updated: 2024-08-06T15:20:35.190Z Open on db.gcve.eu Reference links http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html http://lists.opensuse.org/opensuse-updates/2014-01/msg00013.html http://lists.opensuse.org/opensuse-updates/2013-04/msg00073.html http://support.apple.com/kb/HT5784 http://rhn.redhat.com/errata/RHSA-2013-0698.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2013-1855`	vulnerable	2026-06-03 14:32:52.233811	Details available The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle \n (newline) characters, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences. Published: 2013-03-19T22:00:00.000Z Updated: 2024-08-06T15:20:35.175Z Open on db.gcve.eu Reference links http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html https://groups.google.com/group/rubyonrails-security/msg/8ed835a97cdd1afd?dmode=source&output=gplain http://lists.opensuse.org/opensuse-updates/2014-01/msg00013.html http://lists.opensuse.org/opensuse-updates/2013-04/msg00073.html http://support.apple.com/kb/HT5784	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2012-3465`	vulnerable	2026-06-03 14:31:58.505665	Details available Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/sanitize_helper.rb in the strip_tags helper in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via malformed HTML markup. Published: 2012-08-10T10:00:00.000Z Updated: 2024-08-06T20:05:12.646Z Open on db.gcve.eu Reference links http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released/ http://secunia.com/advisories/50694 http://rhn.redhat.com/errata/RHSA-2013-0154.html https://groups.google.com/group/rubyonrails-security/msg/7fbb5392d4d282b5?dmode=source&output=gplain	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2012-3464`	vulnerable	2026-06-03 14:31:58.487054	Details available Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 might allow remote attackers to inject arbitrary web script or HTML via vectors involving a ' (quote) character. Published: 2012-08-10T10:00:00.000Z Updated: 2024-08-06T20:05:12.658Z Open on db.gcve.eu Reference links http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released/ http://secunia.com/advisories/50694 http://rhn.redhat.com/errata/RHSA-2013-0154.html https://groups.google.com/group/rubyonrails-security/msg/8f1bbe1cef8c6caf?dmode=source&output=gplain	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2011-2932`	vulnerable	2026-06-03 14:31:11.282092	Details available Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails 2.x before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a malformed Unicode string, related to a "UTF-8 escaping vulnerability." Published: 2011-08-29T18:00:00.000Z Updated: 2024-08-06T23:15:31.926Z Open on db.gcve.eu Reference links https://bugzilla.redhat.com/show_bug.cgi?id=731435 http://secunia.com/advisories/45917 http://www.openwall.com/lists/oss-security/2011/08/17/1 http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065114.html http://www.openwall.com/lists/oss-security/2011/08/22/13	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2011-2931`	vulnerable	2026-06-03 14:31:11.280280	Details available Cross-site scripting (XSS) vulnerability in the strip_tags helper in actionpack/lib/action_controller/vendor/html-scanner/html/node.rb in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a tag with an invalid name. Published: 2011-08-29T18:00:00.000Z Updated: 2024-08-06T23:15:31.957Z Open on db.gcve.eu Reference links http://groups.google.com/group/rubyonrails-security/msg/fd41ab62966e0fd1?dmode=source&output=gplain http://www.openwall.com/lists/oss-security/2011/08/17/1 http://www.openwall.com/lists/oss-security/2011/08/22/13 http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065137.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2011-2930`	vulnerable	2026-06-03 14:31:11.276070	Details available Multiple SQL injection vulnerabilities in the quote_table_name method in the ActiveRecord adapters in activerecord/lib/active_record/connection_adapters/ in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow remote attackers to execute arbitrary SQL commands via a crafted column name. Published: 2011-08-29T18:00:00.000Z Updated: 2024-08-06T23:15:31.901Z Open on db.gcve.eu Reference links http://www.openwall.com/lists/oss-security/2011/08/17/1 https://github.com/rails/rails/commit/8a39f411dc3c806422785b1f4d5c7c9d58e4bf85 http://www.openwall.com/lists/oss-security/2011/08/22/13 http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html http://www.openwall.com/lists/oss-security/2011/08/19/11	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2011-2197`	vulnerable	2026-06-03 14:31:06.210265	Details available The cross-site scripting (XSS) prevention feature in Ruby on Rails 2.x before 2.3.12, 3.0.x before 3.0.8, and 3.1.x before 3.1.0.rc2 does not properly handle mutation of safe buffers, which makes it easier for remote attackers to conduct XSS attacks via crafted strings to an application that uses a problematic string method, as demonstrated by the sub method. Published: 2011-06-30T15:26:00.000Z Updated: 2024-08-06T22:53:17.178Z Open on db.gcve.eu Reference links http://groups.google.com/group/rubyonrails-security/msg/663b600d4471e0d4?dmode=source&output=gplain http://lists.fedoraproject.org/pipermail/package-announce/2011-June/062090.html http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062514.html http://weblog.rubyonrails.org/2011/6/8/potential-xss-vulnerability-in-ruby-on-rails-applications http://secunia.com/advisories/44789	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2011-0446`	vulnerable	2026-06-03 14:30:49.046751	Details available Multiple cross-site scripting (XSS) vulnerabilities in the mail_to helper in Ruby on Rails before 2.3.11, and 3.x before 3.0.4, when javascript encoding is used, allow remote attackers to inject arbitrary web script or HTML via a crafted (1) name or (2) email value. Published: 2011-02-14T20:00:00.000Z Updated: 2024-08-06T21:51:09.087Z Open on db.gcve.eu Reference links http://www.vupen.com/english/advisories/2011/0587 http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055088.html http://www.securityfocus.com/bid/46291 http://www.debian.org/security/2011/dsa-2247 http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2009-4214`	vulnerable	2026-06-03 14:29:56.835523	Details available Cross-site scripting (XSS) vulnerability in the strip_tags function in Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote attackers to inject arbitrary web script or HTML via vectors involving non-printing ASCII characters, related to HTML::Tokenizer and actionpack/lib/action_controller/vendor/html-scanner/html/node.rb. Published: 2009-12-07T17:00:00.000Z Updated: 2024-08-07T06:54:09.938Z Open on db.gcve.eu Reference links http://groups.google.com/group/rubyonrails-security/browse_thread/thread/4d4f71f2aef4c0ab?pli=1 http://secunia.com/advisories/37446 http://www.vupen.com/english/advisories/2009/3352 http://www.debian.org/security/2011/dsa-2301 http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2009-3009`	vulnerable	2026-06-03 14:29:44.429706	Details available Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings into a form helper. Published: 2009-09-08T18:00:00.000Z Updated: 2024-08-07T06:14:55.295Z Open on db.gcve.eu Reference links http://www.securityfocus.com/bid/36278 http://weblog.rubyonrails.org/2009/9/4/xss-vulnerability-in-ruby-on-rails http://secunia.com/advisories/36600 http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html http://www.vupen.com/english/advisories/2009/2544	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2008-5189`	vulnerable	2026-06-03 14:29:08.132012	Details available CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL to the redirect_to function. Published: 2008-11-21T11:00:00.000Z Updated: 2024-08-07T10:40:17.237Z Open on db.gcve.eu Reference links http://github.com/rails/rails/commit/7282ed863ca7e6f928bae9162c9a63a98775a19d http://www.securityfocus.com/bid/32359 http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html http://weblog.rubyonrails.org/2008/10/19/rails-2-0-5-redirect_to-and-offset-limit-sanitizing http://weblog.rubyonrails.org/2008/10/19/response-splitting-risk	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2008-4094`	vulnerable	2026-06-03 14:28:56.970953	Details available Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer. Published: 2008-09-30T17:00:00.000Z Updated: 2024-08-07T10:00:42.864Z Open on db.gcve.eu Reference links http://gist.github.com/8946 https://exchange.xforce.ibmcloud.com/vulnerabilities/45109 http://www.openwall.com/lists/oss-security/2008/09/13/2 http://rails.lighthouseapp.com/projects/8994/tickets/964 http://rails.lighthouseapp.com/projects/8994/tickets/288	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2007-6077`	not_vulnerable	2026-06-03 14:28:28.499740	Details available The session fixation protection mechanism in cgi_process.rb in Rails 1.2.4, as used in Ruby on Rails, removes the :cookie_only attribute from the DEFAULT_SESSION_OPTIONS constant, which effectively causes cookie_only to be applied only to the first instantiation of CgiRequest, which allows remote attackers to conduct session fixation attacks. NOTE: this is due to an incomplete fix for CVE-2007-5380. Published: 2007-11-21T21:00:00.000Z Updated: 2024-08-07T15:54:26.389Z Open on db.gcve.eu Reference links http://www.vupen.com/english/advisories/2007/4238 http://www.us-cert.gov/cas/techalerts/TA07-352A.html http://secunia.com/advisories/28136 http://secunia.com/advisories/27781 http://dev.rubyonrails.org/changeset/8177	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.