Description

Multiple SQL injection vulnerabilities in the quote_table_name method in the ActiveRecord adapters in activerecord/lib/active_record/connection_adapters/ in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow remote attackers to execute arbitrary SQL commands via a crafted column name.

Remediation

References

CVE-2011-2930

Related Vulnerabilities

phpList Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2020-15072)

Moodle Permissions, Privileges, and Access Controls Vulnerability (CVE-2015-5268)

Piwigo Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2021-32615)

WordPress Plugin Accordion Cross-Site Scripting (2.2.29)

WordPress Plugin RegistrationMagic-Custom Registration Forms, User Registration, Payment, and User Login SQL Injection (5.0.2.1)

Severity

High

Classification

CVE-2011-2930 CWE-138

Tags

Missing Update Known Vulnerabilities