Ruby/rails/1.2.4

Ruby on Rails is a full-stack web framework optimized for programmer happiness and sustainable productivity. It encourages beautiful code by favoring convention over configuration.

Repo Link: https://rubygems.org/gems/rails
License: UNKNOWN

8 Security Vulnerabilities

Moderate severity vulnerability that affects rails

Published date: 2017-10-24T18:33:38Z

CVE: CVE-2011-0446

Links:

Multiple cross-site scripting (XSS) vulnerabilities in the mail_to helper in Ruby on Rails before 2.3.11, and 3.x before 3.0.4, when javascript encoding is used, allow remote attackers to inject arbitrary web script or HTML via a crafted (1) name or (2) email value.

Affected versions: ["3.0.4.rc1", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "2.3.10", "2.3.9", "2.3.9.pre", "2.3.8", "2.3.8.pre1", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.2.3", "2.2.2", "2.1.2", "2.1.1", "2.1.0", "2.0.5", "2.0.4", "2.0.2", "2.0.1", "2.0.0", "1.2.6", "1.2.5", "1.2.4", "1.2.3", "1.2.2", "1.2.1", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.13.1", "0.13.0", "0.12.1", "0.12.0", "0.11.1", "0.11.0", "0.10.1", "0.10.0", "0.9.5", "0.9.4.1", "0.9.4", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.5", "0.8.0"]

Secure versions: [6.1.0.rc1, 6.0.3.4, 6.0.3.3, 6.0.3.2, 6.0.3.1, 6.0.3, 6.0.3.rc1, 6.0.2.2, 6.0.2.1, 6.0.2, 6.0.2.rc2, 6.0.2.rc1, 6.0.1, 6.0.1.rc1, 6.0.0, 6.0.0.rc2, 6.0.0.rc1, 6.0.0.beta3, 6.0.0.beta2, 6.0.0.beta1, 5.2.4.4, 5.2.4.3, 5.2.4.2, 5.2.4.1, 5.2.4, 5.2.4.rc1, 5.2.3, 5.2.3.rc1, 5.2.2.1, 5.2.2, 5.2.2.rc1, 5.2.1.1, 5.2.1, 5.2.1.rc1, 5.2.0, 5.2.0.rc2, 5.2.0.rc1, 5.2.0.beta2, 5.2.0.beta1, 5.1.7, 5.1.7.rc1, 5.1.6.2, 5.1.6.1, 5.1.6, 5.1.5, 5.1.5.rc1, 5.1.4, 5.1.4.rc1, 5.1.3, 5.1.3.rc3, 5.1.3.rc2, 5.1.3.rc1, 5.1.2, 5.1.2.rc1, 5.1.1, 5.1.0, 5.1.0.rc2, 5.1.0.rc1, 5.1.0.beta1, 5.0.7.2, 5.0.7.1, 5.0.7, 5.0.6, 5.0.6.rc1, 5.0.5, 5.0.5.rc2, 5.0.5.rc1, 5.0.4, 5.0.4.rc1, 5.0.3, 5.0.2, 5.0.2.rc1, 5.0.1, 5.0.1.rc2, 5.0.1.rc1, 5.0.0.1, 5.0.0, 5.0.0.rc2, 5.0.0.rc1, 5.0.0.racecar1, 5.0.0.beta4, 5.0.0.beta3, 5.0.0.beta2, 5.0.0.beta1.1, 5.0.0.beta1, 4.2.11.3, 4.2.11.2, 4.2.11.1, 4.2.11, 4.2.10, 4.2.10.rc1, 4.2.9, 4.2.9.rc2, 4.2.9.rc1, 4.2.8, 4.2.8.rc1, 4.2.7.1, 4.2.7, 4.2.7.rc1, 4.2.6, 4.2.6.rc1, 4.2.5.2, 4.2.5.1, 4.2.5, 4.2.5.rc2, 4.2.5.rc1, 4.2.4, 4.2.4.rc1, 4.2.3, 4.2.3.rc1, 4.2.2, 4.2.1, 4.2.1.rc4, 4.2.1.rc3, 4.2.1.rc2, 4.2.1.rc1, 4.2.0, 4.2.0.rc3, 4.2.0.rc2, 4.2.0.rc1, 4.2.0.beta4, 4.2.0.beta3, 4.2.0.beta2, 4.2.0.beta1, 4.1.16, 4.1.16.rc1, 4.1.15, 4.1.15.rc1, 4.1.14.2, 4.1.14.1, 4.1.14, 4.1.14.rc2, 4.1.14.rc1, 4.1.13, 4.1.13.rc1, 4.1.12, 4.1.12.rc1, 4.1.11, 4.1.10, 4.1.10.rc4, 4.1.10.rc3, 4.1.10.rc2, 4.1.10.rc1, 4.1.9, 4.1.9.rc1, 4.1.8, 4.1.7.1, 4.1.7, 4.1.6, 4.1.6.rc2, 4.1.6.rc1, 4.1.5, 4.1.4, 4.1.3, 4.1.2, 4.1.2.rc3, 4.1.2.rc2, 4.1.2.rc1, 4.1.1, 4.1.0, 4.1.0.rc2, 4.1.0.rc1, 4.1.0.beta2, 4.1.0.beta1, 4.0.13, 4.0.13.rc1, 4.0.12, 4.0.11.1, 4.0.11, 4.0.10, 4.0.10.rc2, 4.0.10.rc1, 4.0.9, 4.0.8, 4.0.7, 4.0.6, 4.0.6.rc3, 4.0.6.rc2, 4.0.6.rc1, 4.0.5, 4.0.4, 4.0.4.rc1, 4.0.3, 4.0.0.rc2, 4.0.0.rc1, 4.0.0.beta1, 3.2.22.5, 3.2.22.4, 3.2.22.3, 3.2.22.2, 3.2.22.1, 3.2.22, 3.2.21, 3.2.20, 3.2.19, 3.2.18, 3.2.17, 6.1.0.rc2, 6.1.0, 6.1.1, 6.1.2, 6.1.2.1, 6.0.3.5, 5.2.4.5, 6.1.3, 6.1.3.1, 6.0.3.6, 5.2.5, 6.1.3.2, 6.0.3.7, 5.2.6, 5.2.4.6, 6.0.4, 6.1.4, 6.1.4.1, 6.0.4.1, 7.0.0.alpha2, 7.0.0.alpha1, 7.0.0.rc1, 7.0.0.rc3, 7.0.0.rc2, 6.1.4.3, 6.1.4.2, 6.0.4.3, 6.0.4.2, 7.0.0, 6.1.4.4, 6.0.4.4, 7.0.1, 7.0.2, 7.0.2.2, 7.0.2.1, 6.1.4.6, 6.1.4.5, 6.0.4.6, 6.0.4.5, 5.2.6.2, 5.2.6.1, 6.0.4.7, 5.2.6.3, 7.0.2.3, 6.1.4.7, 6.1.5, 5.2.7, 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1, 7.0.3, 6.1.6, 6.0.5, 5.2.8, 7.0.3.1, 6.1.6.1, 6.0.5.1, 5.2.8.1, 7.0.4, 6.1.7, 6.0.6, 7.0.4.1, 6.1.7.1, 6.0.6.1, 7.0.4.2, 6.1.7.2, 7.0.4.3, 6.1.7.3]

Recommendation: Update to version 7.0.4.3.

Moderate severity vulnerability that affects rails

Published date: 2017-10-24T18:33:38Z

CVE: CVE-2009-4214

Links:

Cross-site scripting (XSS) vulnerability in the striptags function in Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote attackers to inject arbitrary web script or HTML via vectors involving non-printing ASCII characters, related to HTML::Tokenizer and actionpack/lib/actioncontroller/vendor/html-scanner/html/node.rb.

Affected versions: ["2.3.4", "2.3.3", "2.3.2", "2.1.2", "2.1.1", "2.1.0", "2.0.5", "2.0.4", "2.0.2", "2.0.1", "2.0.0", "1.2.6", "1.2.5", "1.2.4", "1.2.3", "1.2.2", "1.2.1", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.13.1", "0.13.0", "0.12.1", "0.12.0", "0.11.1", "0.11.0", "0.10.1", "0.10.0", "0.9.5", "0.9.4.1", "0.9.4", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.5", "0.8.0"]

Recommendation: Update to version 7.0.4.3.

Moderate severity vulnerability that affects rails

Published date: 2017-10-24T18:33:38Z

CVE: CVE-2007-3227

Links:

Cross-site scripting (XSS) vulnerability in the tojson (ActiveRecord::Base#tojson) function in Ruby on Rails before edge 9606 allows remote attackers to inject arbitrary web script via the input values.

Affected versions: ["1.2.4", "1.2.3", "1.2.2", "1.2.1", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.13.1", "0.13.0", "0.12.1", "0.12.0", "0.11.1", "0.11.0", "0.10.1", "0.10.0", "0.9.5", "0.9.4.1", "0.9.4", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.5", "0.8.0"]

Recommendation: Update to version 7.0.4.3.

Moderate severity vulnerability that affects rails

Published date: 2017-10-24T18:33:38Z

CVE: CVE-2008-5189

Links:

CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL to the redirect_to function.

Affected versions: ["2.0.4", "2.0.2", "2.0.1", "2.0.0", "1.2.6", "1.2.5", "1.2.4", "1.2.3", "1.2.2", "1.2.1", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.13.1", "0.13.0", "0.12.1", "0.12.0", "0.11.1", "0.11.0", "0.10.1", "0.10.0", "0.9.5", "0.9.4.1", "0.9.4", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.5", "0.8.0"]

Recommendation: Update to version 7.0.4.3.

Moderate severity vulnerability that affects rails

Published date: 2017-10-24T18:33:38Z

CVE: CVE-2007-6077

Links:

The session fixation protection mechanism in cgiprocess.rb in Rails 1.2.4, as used in Ruby on Rails, removes the :cookieonly attribute from the DEFAULTSESSIONOPTIONS constant, which effectively causes cookie_only to be applied only to the first instantiation of CgiRequest, which allows remote attackers to conduct session fixation attacks. NOTE: this is due to an incomplete fix for CVE-2007-5380.

Affected versions: ["1.2.5", "1.2.4", "1.2.3", "1.2.2", "1.2.1", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.13.1", "0.13.0", "0.12.1", "0.12.0", "0.11.1", "0.11.0", "0.10.1", "0.10.0", "0.9.5", "0.9.4.1", "0.9.4", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.5", "0.8.0"]

Recommendation: Update to version 7.0.4.3.

Cross site scripting in rails < 3.0.6

Published date: 2022-04-22T00:24:28Z

CVE: CVE-2011-1497

Links:

A cross-site scripting vulnerability flaw was found in the auto_link function in Rails before version 3.0.6.

Affected versions: ["3.0.6.rc2", "3.0.6.rc1", "3.0.5", "3.0.5.rc1", "3.0.4", "3.0.4.rc1", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0.rc2", "3.0.0.rc", "3.0.0.beta4", "3.0.0.beta3", "3.0.0.beta2", "3.0.0.beta", "2.3.18", "2.3.17", "2.3.16", "2.3.15", "2.3.14", "2.3.12", "2.3.11", "2.3.10", "2.3.9", "2.3.9.pre", "2.3.8", "2.3.8.pre1", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.2.3", "2.2.2", "2.1.2", "2.1.1", "2.1.0", "2.0.5", "2.0.4", "2.0.2", "2.0.1", "2.0.0", "1.2.6", "1.2.5", "1.2.4", "1.2.3", "1.2.2", "1.2.1", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.13.1", "0.13.0", "0.12.1", "0.12.0", "0.11.1", "0.11.0", "0.10.1", "0.10.0", "0.9.5", "0.9.4.1", "0.9.4", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.5", "0.8.0"]

Recommendation: Update to version 7.0.4.3.

High severity vulnerability that affects rails

Published date: 2017-10-24T18:33:38Z

CVE: CVE-2009-2422

Links:

The example code for the digest authentication functionality (httpauthentication.rb) in Ruby on Rails before 2.3.3 defines an authenticateorrequestwithhttpdigest block that returns nil instead of false when the user does not exist, which allows context-dependent attackers to bypass authentication for applications that are derived from this example by sending an invalid username without a password.

Affected versions: ["2.3.2", "2.2.3", "2.2.2", "2.1.2", "2.1.1", "2.1.0", "2.0.5", "2.0.4", "2.0.2", "2.0.1", "2.0.0", "1.2.6", "1.2.5", "1.2.4", "1.2.3", "1.2.2", "1.2.1", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.13.1", "0.13.0", "0.12.1", "0.12.0", "0.11.1", "0.11.0", "0.10.1", "0.10.0", "0.9.5", "0.9.4.1", "0.9.4", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.5", "0.8.0"]

Recommendation: Update to version 7.0.4.3.

High severity vulnerability that affects rails

Published date: 2017-10-24T18:33:38Z

CVE: CVE-2008-4094

Links:

Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer.

Affected versions: ["2.1.0", "2.0.5", "2.0.4", "2.0.2", "2.0.1", "2.0.0", "1.2.6", "1.2.5", "1.2.4", "1.2.3", "1.2.2", "1.2.1", "1.2.0", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.0.0", "0.14.4", "0.14.3", "0.14.2", "0.14.1", "0.13.1", "0.13.0", "0.12.1", "0.12.0", "0.11.1", "0.11.0", "0.10.1", "0.10.0", "0.9.5", "0.9.4.1", "0.9.4", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.5", "0.8.0"]

Recommendation: Update to version 7.0.4.3.

444 Other Versions

Version	License	Security	Released
4.1.14.rc2	MIT		2015-11-05 - 02:55	over 7 years
4.1.14.rc1	MIT		2015-10-30 - 20:45	over 7 years
4.1.13	MIT		2015-08-24 - 18:02	over 7 years
4.1.13.rc1	MIT		2015-08-14 - 15:13	over 7 years
4.1.12	MIT		2015-06-25 - 21:26	almost 8 years
4.1.12.rc1	MIT		2015-06-22 - 14:05	almost 8 years
4.1.11	MIT		2015-06-16 - 18:00	almost 8 years
4.1.10	MIT		2015-03-19 - 16:50	about 8 years
4.1.10.rc4	MIT		2015-03-12 - 21:32	about 8 years
4.1.10.rc3	MIT		2015-03-02 - 21:39	about 8 years
4.1.10.rc2	MIT		2015-02-25 - 22:22	about 8 years
4.1.10.rc1	MIT		2015-02-20 - 22:25	about 8 years
4.1.9	MIT		2015-01-06 - 20:04	about 8 years
4.1.9.rc1	MIT		2015-01-02 - 01:11	about 8 years
4.1.8	MIT		2014-11-17 - 16:01	over 8 years
4.1.7.1	MIT		2014-11-19 - 19:12	over 8 years
4.1.7	MIT		2014-10-30 - 18:37	over 8 years
4.1.6	MIT		2014-09-11 - 17:26	over 8 years
4.1.6.rc2	MIT		2014-09-08 - 18:13	over 8 years
4.1.6.rc1	MIT		2014-08-19 - 20:52	over 8 years
4.1.5	MIT		2014-08-18 - 17:01	over 8 years
4.1.4	MIT		2014-07-02 - 19:53	over 8 years
4.1.3	MIT		2014-07-02 - 17:06	over 8 years
4.1.2	MIT		2014-06-26 - 14:50	almost 9 years
4.1.2.rc3	MIT		2014-06-23 - 17:28	almost 9 years
4.1.2.rc2	MIT		2014-06-16 - 16:30	almost 9 years
4.1.2.rc1	MIT		2014-05-27 - 16:12	almost 9 years
4.1.1	MIT		2014-05-06 - 16:11	almost 9 years
4.1.0	MIT		2014-04-08 - 19:21	almost 9 years
4.1.0.rc2	MIT		2014-03-25 - 20:12	about 9 years
4.1.0.rc1	MIT		2014-02-18 - 20:59	about 9 years
4.1.0.beta2	MIT		2014-02-18 - 18:52	about 9 years
4.1.0.beta1	MIT		2013-12-18 - 00:15	over 9 years
4.0.13	MIT		2015-01-06 - 20:08	about 8 years
4.0.13.rc1	MIT		2015-01-02 - 00:54	about 8 years
4.0.12	MIT		2014-11-17 - 16:01	over 8 years
4.0.11.1	MIT		2014-11-19 - 19:09	over 8 years
4.0.11	MIT		2014-10-30 - 18:37	over 8 years
4.0.10	MIT		2014-09-11 - 17:33	over 8 years
4.0.10.rc2	MIT		2014-09-08 - 17:55	over 8 years
4.0.10.rc1	MIT		2014-08-19 - 20:48	over 8 years
4.0.9	MIT		2014-08-18 - 17:03	over 8 years
4.0.8	MIT		2014-07-02 - 19:42	over 8 years
4.0.7	MIT		2014-07-02 - 17:04	over 8 years
4.0.6	MIT		2014-06-26 - 16:30	almost 9 years
4.0.6.rc3	MIT		2014-06-23 - 17:24	almost 9 years
4.0.6.rc2	MIT		2014-06-16 - 16:16	almost 9 years
4.0.6.rc1	MIT		2014-05-27 - 16:06	almost 9 years
4.0.5	MIT		2014-05-06 - 16:13	almost 9 years
4.0.4	MIT		2014-03-14 - 17:37	about 9 years
4.0.4.rc1	MIT		2014-03-11 - 17:31	about 9 years
4.0.3	MIT		2014-02-18 - 18:49	about 9 years
4.0.2	MIT	1	2013-12-03 - 19:01	over 9 years
4.0.1	MIT	1	2013-11-01 - 19:08	over 9 years
4.0.1.rc4	MIT	1	2013-10-30 - 20:49	over 9 years
4.0.1.rc3	MIT	1	2013-10-23 - 21:41	over 9 years
4.0.1.rc2	MIT	1	2013-10-21 - 22:01	over 9 years
4.0.1.rc1	MIT	1	2013-10-17 - 16:46	over 9 years
4.0.0	MIT	1	2013-06-25 - 14:32	almost 10 years
4.0.0.rc2	MIT		2013-06-11 - 20:26	almost 10 years
4.0.0.rc1	MIT		2013-04-29 - 15:39	almost 10 years
4.0.0.beta1	MIT		2013-02-26 - 00:05	about 10 years
3.2.22.5	MIT		2016-09-14 - 21:19	over 6 years
3.2.22.4	MIT		2016-08-11 - 19:20	over 6 years
3.2.22.3	MIT		2016-08-11 - 17:34	over 6 years
3.2.22.2	MIT		2016-02-29 - 19:24	about 7 years
3.2.22.1	MIT		2016-01-25 - 19:26	about 7 years
3.2.22	MIT		2015-06-16 - 18:06	almost 8 years
3.2.21	MIT		2014-11-17 - 16:00	over 8 years
3.2.20	MIT		2014-10-30 - 18:37	over 8 years
3.2.19	MIT		2014-07-02 - 17:02	over 8 years
3.2.18	MIT		2014-05-06 - 16:17	almost 9 years
3.2.17	MIT		2014-02-18 - 18:54	about 9 years
3.2.16	MIT	1	2013-12-03 - 19:01	over 9 years
3.2.15	MIT	1	2013-10-16 - 17:23	over 9 years
3.2.15.rc3	MIT	1	2013-10-11 - 21:17	over 9 years
3.2.15.rc2	MIT	1	2013-10-04 - 20:48	over 9 years
3.2.15.rc1	MIT	1	2013-10-03 - 18:54	over 9 years
3.2.14	MIT	1	2013-07-22 - 16:44	over 9 years
3.2.14.rc2	MIT	1	2013-07-16 - 16:13	over 9 years
3.2.14.rc1	MIT	1	2013-07-13 - 00:25	over 9 years
3.2.13	UNKNOWN	1	2013-03-18 - 17:13	about 10 years
3.2.13.rc2	UNKNOWN	1	2013-03-06 - 23:06	about 10 years
3.2.13.rc1	UNKNOWN	1	2013-02-27 - 20:25	about 10 years
3.2.12	UNKNOWN	1	2013-02-11 - 18:17	about 10 years
3.2.11	UNKNOWN	1	2013-01-08 - 20:08	about 10 years
3.2.10	UNKNOWN	1	2013-01-02 - 21:20	about 10 years
3.2.9	UNKNOWN	1	2012-11-12 - 15:21	over 10 years
3.2.9.rc3	UNKNOWN	1	2012-11-09 - 18:00	over 10 years
3.2.9.rc2	UNKNOWN	1	2012-11-01 - 17:39	over 10 years
3.2.9.rc1	UNKNOWN	1	2012-10-29 - 17:07	over 10 years
3.2.8	UNKNOWN	1	2012-08-09 - 21:23	over 10 years
3.2.8.rc2	UNKNOWN	1	2012-08-03 - 14:29	over 10 years
3.2.8.rc1	UNKNOWN	1	2012-08-01 - 20:57	over 10 years
3.2.7	UNKNOWN	1	2012-07-26 - 22:09	over 10 years
3.2.7.rc1	UNKNOWN	1	2012-07-23 - 21:45	over 10 years
3.2.6	UNKNOWN	1	2012-06-12 - 21:26	almost 11 years
3.2.5	UNKNOWN	1	2012-06-01 - 03:39	almost 11 years
3.2.4	UNKNOWN	1	2012-05-31 - 18:25	almost 11 years
3.2.4.rc1	UNKNOWN	1	2012-05-28 - 19:01	almost 11 years