Description

Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660 and CVE-2012-2694.

Remediation

References

CVE-2013-0155

Related Vulnerabilities

MySQL CVE-2022-21302 Vulnerability (CVE-2022-21302)

Piwigo Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2017-17774)

WordPress Plugin Easy2Map Multiple Vulnerabilities (1.2.9)

PHP Cryptographic Issues Vulnerability (CVE-2015-8867)

WordPress Plugin Onclick show popup Cross-Site Scripting (6.5)

Severity

Medium

Classification

CVE-2013-0155 CWE-264

Tags

Missing Update Known Vulnerabilities