GCVE - cpe:2.3:a:rubyonrails:rails:2.2.1:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:rubyonrails:rails:2.2.1:*:*:*:*:*:*:*

part: a version: 2.2.1 update: *

Vendor	Rubyonrails (`a0962337-0e2d-518c-b84b-f2864721d062`)
Product	Rails (`4bc463b7-a5fc-5e2f-aea1-023dcfc59b73`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from NVD CPE 2.0 feed

PURL mappings

PURL	Source	Last updated
`pkg:gem/rails`	purl2cpe	2026-06-01 10:11:28.274010
`pkg:github/rails/rails`	purl2cpe	2026-06-01 10:11:28.274011

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2014-3482`	vulnerable	2026-06-03 14:33:54.712315	Details available SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 2.x and 3.x before 3.2.19 allows remote attackers to execute arbitrary SQL commands by leveraging improper bitstring quoting. Published: 2014-07-07T10:00:00.000Z Updated: 2024-08-06T10:43:06.174Z Open on db.gcve.eu Reference links http://www.securityfocus.com/bid/68343 http://secunia.com/advisories/59973 http://openwall.com/lists/oss-security/2014/07/02/5 https://groups.google.com/forum/message/raw?msg=rubyonrails-security/wDxePLJGZdI/WP7EasCJTA4J http://secunia.com/advisories/60214	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2014-0081`	vulnerable	2026-06-03 14:33:36.663297	Details available Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage, or (c) number_to_human helper. Published: 2014-02-20T11:00:00.000Z Updated: 2024-08-06T09:05:38.984Z Open on db.gcve.eu Reference links http://rhn.redhat.com/errata/RHSA-2014-0215.html http://rhn.redhat.com/errata/RHSA-2014-0306.html http://www.securityfocus.com/bid/65647 http://www.securitytracker.com/id/1029782 http://openwall.com/lists/oss-security/2014/02/18/8	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2013-1857`	vulnerable	2026-06-03 14:32:52.249131	Details available The sanitize helper in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle encoded : (colon) characters in URLs, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted scheme name, as demonstrated by including a : sequence. Published: 2013-03-19T22:00:00.000Z Updated: 2024-08-06T15:20:35.190Z Open on db.gcve.eu Reference links http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html http://lists.opensuse.org/opensuse-updates/2014-01/msg00013.html http://lists.opensuse.org/opensuse-updates/2013-04/msg00073.html http://support.apple.com/kb/HT5784 http://rhn.redhat.com/errata/RHSA-2013-0698.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2013-1855`	vulnerable	2026-06-03 14:32:52.236732	Details available The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle \n (newline) characters, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences. Published: 2013-03-19T22:00:00.000Z Updated: 2024-08-06T15:20:35.175Z Open on db.gcve.eu Reference links http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html https://groups.google.com/group/rubyonrails-security/msg/8ed835a97cdd1afd?dmode=source&output=gplain http://lists.opensuse.org/opensuse-updates/2014-01/msg00013.html http://lists.opensuse.org/opensuse-updates/2013-04/msg00073.html http://support.apple.com/kb/HT5784	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2012-3465`	vulnerable	2026-06-03 14:31:58.505762	Details available Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/sanitize_helper.rb in the strip_tags helper in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via malformed HTML markup. Published: 2012-08-10T10:00:00.000Z Updated: 2024-08-06T20:05:12.646Z Open on db.gcve.eu Reference links http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released/ http://secunia.com/advisories/50694 http://rhn.redhat.com/errata/RHSA-2013-0154.html https://groups.google.com/group/rubyonrails-security/msg/7fbb5392d4d282b5?dmode=source&output=gplain	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2012-3464`	vulnerable	2026-06-03 14:31:58.489992	Details available Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 might allow remote attackers to inject arbitrary web script or HTML via vectors involving a ' (quote) character. Published: 2012-08-10T10:00:00.000Z Updated: 2024-08-06T20:05:12.658Z Open on db.gcve.eu Reference links http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released/ http://secunia.com/advisories/50694 http://rhn.redhat.com/errata/RHSA-2013-0154.html https://groups.google.com/group/rubyonrails-security/msg/8f1bbe1cef8c6caf?dmode=source&output=gplain	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2011-2932`	vulnerable	2026-06-03 14:31:11.282191	Details available Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails 2.x before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a malformed Unicode string, related to a "UTF-8 escaping vulnerability." Published: 2011-08-29T18:00:00.000Z Updated: 2024-08-06T23:15:31.926Z Open on db.gcve.eu Reference links https://bugzilla.redhat.com/show_bug.cgi?id=731435 http://secunia.com/advisories/45917 http://www.openwall.com/lists/oss-security/2011/08/17/1 http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065114.html http://www.openwall.com/lists/oss-security/2011/08/22/13	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2011-2931`	vulnerable	2026-06-03 14:31:11.280380	Details available Cross-site scripting (XSS) vulnerability in the strip_tags helper in actionpack/lib/action_controller/vendor/html-scanner/html/node.rb in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a tag with an invalid name. Published: 2011-08-29T18:00:00.000Z Updated: 2024-08-06T23:15:31.957Z Open on db.gcve.eu Reference links http://groups.google.com/group/rubyonrails-security/msg/fd41ab62966e0fd1?dmode=source&output=gplain http://www.openwall.com/lists/oss-security/2011/08/17/1 http://www.openwall.com/lists/oss-security/2011/08/22/13 http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065137.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2011-2930`	vulnerable	2026-06-03 14:31:11.276181	Details available Multiple SQL injection vulnerabilities in the quote_table_name method in the ActiveRecord adapters in activerecord/lib/active_record/connection_adapters/ in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow remote attackers to execute arbitrary SQL commands via a crafted column name. Published: 2011-08-29T18:00:00.000Z Updated: 2024-08-06T23:15:31.901Z Open on db.gcve.eu Reference links http://www.openwall.com/lists/oss-security/2011/08/17/1 https://github.com/rails/rails/commit/8a39f411dc3c806422785b1f4d5c7c9d58e4bf85 http://www.openwall.com/lists/oss-security/2011/08/22/13 http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html http://www.openwall.com/lists/oss-security/2011/08/19/11	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2011-2197`	vulnerable	2026-06-03 14:31:06.213209	Details available The cross-site scripting (XSS) prevention feature in Ruby on Rails 2.x before 2.3.12, 3.0.x before 3.0.8, and 3.1.x before 3.1.0.rc2 does not properly handle mutation of safe buffers, which makes it easier for remote attackers to conduct XSS attacks via crafted strings to an application that uses a problematic string method, as demonstrated by the sub method. Published: 2011-06-30T15:26:00.000Z Updated: 2024-08-06T22:53:17.178Z Open on db.gcve.eu Reference links http://groups.google.com/group/rubyonrails-security/msg/663b600d4471e0d4?dmode=source&output=gplain http://lists.fedoraproject.org/pipermail/package-announce/2011-June/062090.html http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062514.html http://weblog.rubyonrails.org/2011/6/8/potential-xss-vulnerability-in-ruby-on-rails-applications http://secunia.com/advisories/44789	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2011-0447`	vulnerable	2026-06-03 14:30:49.064003	Details available Ruby on Rails 2.1.x, 2.2.x, and 2.3.x before 2.3.11, and 3.x before 3.0.4, does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged (1) AJAX or (2) API requests that leverage "combinations of browser plugins and HTTP redirects," a related issue to CVE-2011-0696. Published: 2011-02-14T20:00:00.000Z Updated: 2024-08-06T21:51:09.065Z Open on db.gcve.eu Reference links http://www.vupen.com/english/advisories/2011/0587 http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails http://www.securitytracker.com/id?1025060 http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055088.html http://www.securityfocus.com/bid/46291	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2011-0446`	vulnerable	2026-06-03 14:30:49.050847	Details available Multiple cross-site scripting (XSS) vulnerabilities in the mail_to helper in Ruby on Rails before 2.3.11, and 3.x before 3.0.4, when javascript encoding is used, allow remote attackers to inject arbitrary web script or HTML via a crafted (1) name or (2) email value. Published: 2011-02-14T20:00:00.000Z Updated: 2024-08-06T21:51:09.087Z Open on db.gcve.eu Reference links http://www.vupen.com/english/advisories/2011/0587 http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055088.html http://www.securityfocus.com/bid/46291 http://www.debian.org/security/2011/dsa-2247 http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2009-3086`	vulnerable	2026-06-03 14:29:44.928134	Details available A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x before 2.3.4, leaks information about the complexity of message-digest signature verification in the cookie store, which might allow remote attackers to forge a digest via multiple attempts. Published: 2009-09-08T18:00:00.000Z Updated: 2024-08-07T06:14:56.393Z Open on db.gcve.eu Reference links http://secunia.com/advisories/36600 http://www.securityfocus.com/bid/37427 http://www.vupen.com/english/advisories/2009/2544 http://www.debian.org/security/2011/dsa-2260 http://weblog.rubyonrails.org/2009/9/4/timing-weakness-in-ruby-on-rails	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2009-3009`	vulnerable	2026-06-03 14:29:44.432759	Details available Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings into a form helper. Published: 2009-09-08T18:00:00.000Z Updated: 2024-08-07T06:14:55.295Z Open on db.gcve.eu Reference links http://www.securityfocus.com/bid/36278 http://weblog.rubyonrails.org/2009/9/4/xss-vulnerability-in-ruby-on-rails http://secunia.com/advisories/36600 http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html http://www.vupen.com/english/advisories/2009/2544	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2008-7248`	vulnerable	2026-06-03 14:29:20.967925	Details available Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify tokens for requests with certain content types, which allows remote attackers to bypass cross-site request forgery (CSRF) protection for requests to applications that rely on this protection, as demonstrated using text/plain. Published: 2009-12-16T01:00:00.000Z Updated: 2024-08-07T11:56:14.540Z Open on db.gcve.eu Reference links http://www.openwall.com/lists/oss-security/2009/11/28/1 http://www.rorsecurity.info/journal/2008/11/19/circumvent-rails-csrf-protection.html http://secunia.com/advisories/36600 http://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup/ http://weblog.rubyonrails.org/2008/11/18/potential-circumvention-of-csrf-protection-in-rails-2-1	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2007-6077`	not_vulnerable	2026-06-03 14:28:28.502622	Details available The session fixation protection mechanism in cgi_process.rb in Rails 1.2.4, as used in Ruby on Rails, removes the :cookie_only attribute from the DEFAULT_SESSION_OPTIONS constant, which effectively causes cookie_only to be applied only to the first instantiation of CgiRequest, which allows remote attackers to conduct session fixation attacks. NOTE: this is due to an incomplete fix for CVE-2007-5380. Published: 2007-11-21T21:00:00.000Z Updated: 2024-08-07T15:54:26.389Z Open on db.gcve.eu Reference links http://www.vupen.com/english/advisories/2007/4238 http://www.us-cert.gov/cas/techalerts/TA07-352A.html http://secunia.com/advisories/28136 http://secunia.com/advisories/27781 http://dev.rubyonrails.org/changeset/8177	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.