Description

Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660 and CVE-2012-2694.

Remediation

References

CVE-2013-0155

Related Vulnerabilities

Handlebars Other Vulnerability (CVE-2021-23383)

Apache Tomcat Loop with Unreachable Exit Condition ('Infinite Loop') Vulnerability (CVE-2018-1336)

PrestaShop URL Redirection to Untrusted Site ('Open Redirect') Vulnerability (CVE-2020-5270)

Apache HTTP Server CVE-2004-0751 Vulnerability (CVE-2004-0751)

WordPress Plugin Easy Contact Form Builder Cross-Site Scripting (1.0)

Severity

Medium

Classification

CVE-2013-0155 CWE-264

Tags

Missing Update Known Vulnerabilities