Description

Manual confirmation is required for this alert.

Rails scaffolding is a quick way to generate some of the major pieces of a Rails application. When scaffolding is used, Rails will create automatically the models, views, and controllers for a new resource in a single operation. Output formats are handled in the controller automatically. JSON and XML are natively supported by Rails. Sometimes developers use scaffolding but don't properly restrict access to all the APIs generated automatically by Rails. In this case, sensitive information is leaked via the autogenerated APIs. Acunetix found an API that possibly leaks sensitive information.

Remediation

Acunetix cannot confirm this is a real vulnerability. Manual confirmation is required for this alert. Make sure the information disclosed in the HTTP response does not contain any sensitive information. If it does, adjust the Rails controller code to prevent this information from leaking.

References

Ruby on Rails Security Guide

Related Vulnerabilities

WordPress Plugin Backup Migration Arbitrary File Download (1.3.6)

WordPress Plugin Aspose Cloud eBook Generator Arbitrary File Download (1.0)

WordPress Plugin WP Import Export Information Disclosure (3.9.15)

Adminer 4.6.2 file disclosure vulnerability

WordPress Plugin Email Subscribers by Icegram Express-Email Marketing, Newsletters, Automation for WordPress & WooCommerce Information Disclosure (3.4.7)

Severity

Medium

Classification

CWE-200 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Information Disclosure