Description

Manual confirmation is required for this alert.

Rails scaffolding is a quick way to generate some of the major pieces of a Rails application. When scaffolding is used, Rails will create automatically the models, views, and controllers for a new resource in a single operation. Output formats are handled in the controller automatically. JSON and XML are natively supported by Rails. Sometimes developers use scaffolding but don't properly restrict access to all the APIs generated automatically by Rails. In this case, sensitive information is leaked via the autogenerated APIs. Acunetix found an API that possibly leaks sensitive information.

Remediation

Acunetix cannot confirm this is a real vulnerability. Manual confirmation is required for this alert. Make sure the information disclosed in the HTTP response does not contain any sensitive information. If it does, adjust the Rails controller code to prevent this information from leaking.

References

Ruby on Rails Security Guide

Related Vulnerabilities

XML external entity injection

TYPO3 Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2012-1607)

WordPress Plugin Profile Builder-User Profile & User Registration Forms Information Disclosure (3.9.0)

Jenkins open people list

TYPO3 Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2010-5104)

Severity

Medium

Classification

CWE-200 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Information Disclosure