Description

Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660 and CVE-2012-2694.

Remediation

References

CVE-2013-0155

Related Vulnerabilities

WordPress 4.9.x Prototype Pollution (4.9 - 4.9.19)

phpList Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2012-4246)

SharePoint Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2020-1318)

WordPress Plugin Gravity Forms Salesforce Cross-Site Scripting (1.2.4)

Grafana CVE-2024-1442 Vulnerability (CVE-2024-1442)

Severity

Medium

Classification

CVE-2013-0155 CWE-264

Tags

Missing Update Known Vulnerabilities