This alert requires user confirmation. It may be a false positive.
There are multiple weaknesses in the parameter parsing code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application. This vulnerability has been assigned the CVE identifier CVE-2013-0156.
The parameter parsing code of Ruby on Rails allows applications to automatically cast values from strings to certain data types. Unfortunately the type casting code supported certain conversions which were not suitable for performing on user-provided data including creating Symbols and parsing YAML. These unsuitable conversions can be used by an attacker to compromise a Rails application.
- Consult Web References for detailed information about protecting against this vulnerability.
- WordPress Plugin WP Support Plus Responsive Ticket System SQL Injection (7.1.4)
- WordPress Plugin Membership Simplified Multiple SQL Injection Vulnerabilities (1.58)
- WordPress Plugin I Recommend This SQL Injection (3.7.2)
- timthumb.php remote code execution
- WordPress Plugin Pinpoint Booking System (+WooCommerce) SQL Injection (1.2)