Description
Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660 and CVE-2012-2694.
Remediation
References
Related Vulnerabilities
Oracle HTTP Server NULL Pointer Dereference Vulnerability (CVE-2020-1971)
Oracle Database Server CVE-2009-1968 Vulnerability (CVE-2009-1968)
PHP Improper Input Validation Vulnerability (CVE-2013-3735)
WordPress Plugin PIKLIST-Rapid development framework Cross-Site Scripting (0.9.4.25)
WordPress Plugin IMPress for IDX Broker Unspecified Vulnerability (2.5.11)