This alert requires user confirmation. It may be a false positive.
There are multiple weaknesses in the parameter parsing code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application. This vulnerability has been assigned the CVE identifier CVE-2013-0156.
The parameter parsing code of Ruby on Rails allows applications to automatically cast values from strings to certain data types. Unfortunately the type casting code supported certain conversions which were not suitable for performing on user-provided data including creating Symbols and parsing YAML. These unsuitable conversions can be used by an attacker to compromise a Rails application.
- Consult Web References for detailed information about protecting against this vulnerability.
- WordPress Plugin Smart Manager for WooCommerce & WPeC SQL Injection (3.9.6)
- WordPress Plugin WP-Predict 'predictId' Parameter Blind SQL Injection (1.0)
- WordPress Plugin WordPress Store Locator SQL Injection (3.11)
- WordPress Plugin Wow Forms SQL Injection (2.1)
- WordPress Plugin Sendit Newsletter 'submit.php' Blind SQL Injection (1.5.9)