Description

SQL injection vulnerability in the Active Record component in Ruby on Rails before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behavior of dynamic finders in applications that can use unexpected data types in certain find_by_ method calls.

Remediation

References

CVE-2012-6496

Related Vulnerabilities

ZenCart Improper Input Validation Vulnerability (CVE-2009-4321)

Java Code Execution Vulnerability (CVE-2019-2745)

MediaWiki Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2022-29905)

MySQL Improper Restriction of Operations within the Bounds of a Memory Buffer Vulnerability (CVE-2012-0882)

PostgreSQL Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2017-7484)

Severity

High

Classification

CVE-2012-6496 CWE-138

Tags

Missing Update Known Vulnerabilities