Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES Standard & Premium

Ruby on Rails Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2012-6497)

Description

The Authlogic gem for Ruby on Rails, when used with certain versions before 3.2.10, makes potentially unsafe find_by_id method calls, which might allow remote attackers to conduct CVE-2012-6496 SQL injection attacks via a crafted parameter in environments that have a known secret_token value, as demonstrated by a value contained in secret_token.rb in an open-source product.

Remediation

References

Related Vulnerabilities

WordPress 3.5 Multiple Vulnerabilities (1.5 - 3.5)

WordPress Plugin Appointment Hour Booking-WordPress Booking Cross-Site Scripting (1.3.15)

WordPress Plugin Custom Dashboard & Login Page-AGCA Multiple Unspecified Vulnerabilities (1.5.4.2)

WordPress Plugin Simple Custom CSS and JS Cross-Site Scripting (3.3)

Apache Tomcat Other Vulnerability (CVE-2002-2006)

Severity

Medium

Classification

CVE-2012-6497 CWE-200

Tags

Missing Update Known Vulnerabilities