Ruby on Rails Rails 2.1.1
Approved changes feed: RSS · Atom
cpe:2.3:a:rubyonrails:rails:2.1.1:*:*:*:*:*:*:*
part: a version: 2.1.1 update: *
| Vendor | Rubyonrails (a0962337-0e2d-518c-b84b-f2864721d062) |
|---|---|
| Product | Rails (4bc463b7-a5fc-5e2f-aea1-023dcfc59b73) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from NVD CPE 2.0 feed |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
pkg:gem/rails |
purl2cpe | 2026-06-01 10:11:28.274002 |
pkg:github/rails/rails |
purl2cpe | 2026-06-01 10:11:28.274003 |
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2014-3482 |
vulnerable | 2026-06-03 14:33:54.710892 |
Details available
SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 2.x and 3.x before 3.2.19 allows remote attackers to execute arbitrary SQL commands by leveraging improper bitstring quoting.
Published: 2014-07-07T10:00:00.000Z
Updated: 2024-08-06T10:43:06.174Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2014-0081 |
vulnerable | 2026-06-03 14:33:36.661791 |
Details available
Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage, or (c) number_to_human helper.
Published: 2014-02-20T11:00:00.000Z
Updated: 2024-08-06T09:05:38.984Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2013-1857 |
vulnerable | 2026-06-03 14:32:52.249081 |
Details available
The sanitize helper in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle encoded : (colon) characters in URLs, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted scheme name, as demonstrated by including a : sequence.
Published: 2013-03-19T22:00:00.000Z
Updated: 2024-08-06T15:20:35.190Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2013-1855 |
vulnerable | 2026-06-03 14:32:52.235253 |
Details available
The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle \n (newline) characters, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences.
Published: 2013-03-19T22:00:00.000Z
Updated: 2024-08-06T15:20:35.175Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2012-3465 |
vulnerable | 2026-06-03 14:31:58.505713 |
Details available
Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/sanitize_helper.rb in the strip_tags helper in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via malformed HTML markup.
Published: 2012-08-10T10:00:00.000Z
Updated: 2024-08-06T20:05:12.646Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2012-3464 |
vulnerable | 2026-06-03 14:31:58.488531 |
Details available
Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 might allow remote attackers to inject arbitrary web script or HTML via vectors involving a ' (quote) character.
Published: 2012-08-10T10:00:00.000Z
Updated: 2024-08-06T20:05:12.658Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2011-2932 |
vulnerable | 2026-06-03 14:31:11.282139 |
Details available
Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails 2.x before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a malformed Unicode string, related to a "UTF-8 escaping vulnerability."
Published: 2011-08-29T18:00:00.000Z
Updated: 2024-08-06T23:15:31.926Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2011-2931 |
vulnerable | 2026-06-03 14:31:11.280332 |
Details available
Cross-site scripting (XSS) vulnerability in the strip_tags helper in actionpack/lib/action_controller/vendor/html-scanner/html/node.rb in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a tag with an invalid name.
Published: 2011-08-29T18:00:00.000Z
Updated: 2024-08-06T23:15:31.957Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2011-2930 |
vulnerable | 2026-06-03 14:31:11.276123 |
Details available
Multiple SQL injection vulnerabilities in the quote_table_name method in the ActiveRecord adapters in activerecord/lib/active_record/connection_adapters/ in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow remote attackers to execute arbitrary SQL commands via a crafted column name.
Published: 2011-08-29T18:00:00.000Z
Updated: 2024-08-06T23:15:31.901Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2011-2197 |
vulnerable | 2026-06-03 14:31:06.211699 |
Details available
The cross-site scripting (XSS) prevention feature in Ruby on Rails 2.x before 2.3.12, 3.0.x before 3.0.8, and 3.1.x before 3.1.0.rc2 does not properly handle mutation of safe buffers, which makes it easier for remote attackers to conduct XSS attacks via crafted strings to an application that uses a problematic string method, as demonstrated by the sub method.
Published: 2011-06-30T15:26:00.000Z
Updated: 2024-08-06T22:53:17.178Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2011-0447 |
vulnerable | 2026-06-03 14:30:49.063933 |
Details available
Ruby on Rails 2.1.x, 2.2.x, and 2.3.x before 2.3.11, and 3.x before 3.0.4, does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged (1) AJAX or (2) API requests that leverage "combinations of browser plugins and HTTP redirects," a related issue to CVE-2011-0696.
Published: 2011-02-14T20:00:00.000Z
Updated: 2024-08-06T21:51:09.065Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2011-0446 |
vulnerable | 2026-06-03 14:30:49.048732 |
Details available
Multiple cross-site scripting (XSS) vulnerabilities in the mail_to helper in Ruby on Rails before 2.3.11, and 3.x before 3.0.4, when javascript encoding is used, allow remote attackers to inject arbitrary web script or HTML via a crafted (1) name or (2) email value.
Published: 2011-02-14T20:00:00.000Z
Updated: 2024-08-06T21:51:09.087Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2009-4214 |
vulnerable | 2026-06-03 14:29:56.837295 |
Details available
Cross-site scripting (XSS) vulnerability in the strip_tags function in Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote attackers to inject arbitrary web script or HTML via vectors involving non-printing ASCII characters, related to HTML::Tokenizer and actionpack/lib/action_controller/vendor/html-scanner/html/node.rb.
Published: 2009-12-07T17:00:00.000Z
Updated: 2024-08-07T06:54:09.938Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2009-3086 |
vulnerable | 2026-06-03 14:29:44.928080 |
Details available
A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x before 2.3.4, leaks information about the complexity of message-digest signature verification in the cookie store, which might allow remote attackers to forge a digest via multiple attempts.
Published: 2009-09-08T18:00:00.000Z
Updated: 2024-08-07T06:14:56.393Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2009-3009 |
vulnerable | 2026-06-03 14:29:44.431192 |
Details available
Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings into a form helper.
Published: 2009-09-08T18:00:00.000Z
Updated: 2024-08-07T06:14:55.295Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2008-7248 |
vulnerable | 2026-06-03 14:29:20.966419 |
Details available
Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify tokens for requests with certain content types, which allows remote attackers to bypass cross-site request forgery (CSRF) protection for requests to applications that rely on this protection, as demonstrated using text/plain.
Published: 2009-12-16T01:00:00.000Z
Updated: 2024-08-07T11:56:14.540Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2007-6077 |
not_vulnerable | 2026-06-03 14:28:28.501189 |
Details available
The session fixation protection mechanism in cgi_process.rb in Rails 1.2.4, as used in Ruby on Rails, removes the :cookie_only attribute from the DEFAULT_SESSION_OPTIONS constant, which effectively causes cookie_only to be applied only to the first instantiation of CgiRequest, which allows remote attackers to conduct session fixation attacks. NOTE: this is due to an incomplete fix for CVE-2007-5380.
Published: 2007-11-21T21:00:00.000Z
Updated: 2024-08-07T15:54:26.389Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.