Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES Standard & Premium

Ruby Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2019-16255)

Description

Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method.

Remediation

References

Related Vulnerabilities

WordPress Plugin Remove Yoast SEO comments Unspecified Vulnerability (1.0.4)

Moodle Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2016-0724)

Oracle Database Server CVE-2009-3415 Vulnerability (CVE-2009-3415)

MediaWiki CVE-2020-25813 Vulnerability (CVE-2020-25813)

WordPress Plugin Database for Contact Form 7, WPforms, Elementor forms Cross-Site Scripting (1.3.8)

Severity

High

Classification

CVE-2019-16255 CWE-94 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities