$Rails controller possible sensitive information disclosure

Description

Manual confirmation is required for this alert.

Rails scaffolding is a quick way to generate some of the major pieces of a Rails application. When scaffolding is used, Rails will create automatically the models, views, and controllers for a new resource in a single operation. Output formats are handled in the controller automatically. JSON and XML are natively supported by Rails. Sometimes developers use scaffolding but don't properly restrict access to all the APIs generated automatically by Rails. In this case, sensitive information is leaked via the autogenerated APIs. Acunetix WVS found an API that possibly leaks sensitive information.

Remediation

Acunetix WVS cannot confirm this is a real vulnerability. Manual confirmation is required for this alert. Make sure the information disclosed in the HTTP response does not contain any sensitive information. If it does, adjust the Rails controller code to prevent this information from leaking.

References