Description
actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain "['xyz', nil]" values, a related issue to CVE-2012-2660.
Remediation
References
Related Vulnerabilities
Lighttpd Other Vulnerability (CVE-2007-3949)
WordPress Plugin WordPress Colorbox Lightbox Cross-Site Scripting (1.1.2)
Oracle Application Server CVE-2008-4014 Vulnerability (CVE-2008-4014)
WordPress Plugin WordPress Clean Up & Optimizer-Clean Up Optimizer SQL Injection (3.0.13)
Next.js User Interface (UI) Misrepresentation of Critical Information Vulnerability (CVE-2022-23646)