WEB APPLICATION VULNERABILITIES Standard & Premium

Ruby on Rails Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2017-17916)

Description

** DISPUTED ** SQL injection vulnerability in the 'find_by' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'name' parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input.

Remediation

References

Related Vulnerabilities

WordPress Plugin WP User Frontend Arbitrary File Upload (2.3.10)

WordPress Plugin WP No External Links Cross-Site Scripting (3.5.18)

Internet Information Services Other Vulnerability (CVE-2002-1745)

Dolibarr Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2015-8685)

WordPress Plugin WP Idea Stream Cross-Site Scripting (2.1.1)

Severity

High

Classification

CVE-2017-17916 CWE-138 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Missing Update Known Vulnerabilities