Description

actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2694.

Remediation

References

CVE-2012-2660

Related Vulnerabilities

Artifactory Unrestricted Upload of File with Dangerous Type Vulnerability (CVE-2016-10036)

WordPress Plugin PowerPack Addons for Elementor Multiple Cross-Site Scripting Vulnerabilities (2.3.1)

Jetty Improper Link Resolution Before File Access ('Link Following') Vulnerability (CVE-2021-28163)

Ruby Cryptographic Issues Vulnerability (CVE-2013-4287)

WordPress Plugin Knews Multilingual Newsletters 'ff' Parameter Cross-Site Scripting (1.1.0)

Severity

Medium

Classification

CVE-2012-2660 CWE-264

Tags

Missing Update Known Vulnerabilities