Total
3 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2009-2422 | 1 David Hansson | 1 Ruby On Rails | 2017-08-16 | 7.5 HIGH | N/A |
| The example code for the digest authentication functionality (http_authentication.rb) in Ruby on Rails before 2.3.3 defines an authenticate_or_request_with_http_digest block that returns nil instead of false when the user does not exist, which allows context-dependent attackers to bypass authentication for applications that are derived from this example by sending an invalid username without a password. | |||||
| CVE-2007-5379 | 1 David Hansson | 1 Ruby On Rails | 2012-10-30 | 5.0 MEDIUM | N/A |
| Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers and ActiveResource servers to determine the existence of arbitrary files and read arbitrary XML files via the Hash.from_xml (Hash#from_xml) method, which uses XmlSimple (XML::Simple) unsafely, as demonstrated by reading passwords from the Pidgin (Gaim) .purple/accounts.xml file. | |||||
| CVE-2007-5380 | 1 David Hansson | 1 Ruby On Rails | 2011-03-07 | 6.8 MEDIUM | N/A |
| Session fixation vulnerability in Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers to hijack web sessions via unspecified vectors related to "URL-based sessions." | |||||