Description

activerecord/lib/active_record/relation/query_methods.rb in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection mechanism via crafted input to an application that makes create_with calls.

Remediation

References

CVE-2014-3514

Related Vulnerabilities

phpMyFAQ Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2023-1885)

Magento Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2019-8132)

WordPress Plugin Comments-wpDiscuz Cross-Site Scripting (7.3.1)

ownCloud Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2014-2044)

Liferay Portal Cleartext Storage of Sensitive Information Vulnerability (CVE-2021-33323)

Severity

High

Classification

CVE-2014-3514 CWE-264

Tags

Missing Update Known Vulnerabilities