Description

activerecord/lib/active_record/relation/query_methods.rb in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection mechanism via crafted input to an application that makes create_with calls.

Remediation

References

CVE-2014-3514

Related Vulnerabilities

MediaWiki Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2020-29002)

WordPress Plugin WP Events Calendar 'event_id' Parameter SQL Injection (6.5.2)

WordPress Plugin Advanced User Registration and Management Cross-Site Scripting (2.3.5)

WordPress Plugin Portfolio Responsive Gallery SQL Injection (1.1.7)

Sqlite Integer Overflow or Wraparound Vulnerability (CVE-2015-3416)

Severity

High

Classification

CVE-2014-3514 CWE-264

Tags

Missing Update Known Vulnerabilities