Ankit Gupta

**Name of the Vulnerable Software and Affected Versions** Ruby on Rails versions prior to 3.2.16 Ruby on Rails versions 4.x prior to 4.0.2 **Description** A cross-site scripting (XSS) issue exists in the number to currency helper, allowing remote attackers to inject arbitrary web script or HTML via the `unit` parameter. This enables attackers to execute malicious scripts on the client-side. **Recommendations** For Ruby on Rails versions prior to 3.2.16, update to version 3.2.16 or later. For Ruby on Rails versions 4.x prior to 4.0.2, update to version 4.0.2 or later. As a temporary workaround, consider restricting the use of the `number to currency` helper until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Ruby on Rails versions prior to 3.2.16 Ruby on Rails versions 4.x prior to 4.0.2 **Description** The issue arises from improper consideration of differences in parameter handling between the Active Record component and the JSON implementation in `actionpack/lib/action dispatch/http/request.rb`. This allows remote attackers to bypass intended database-query restrictions, perform NULL checks, or trigger missing WHERE clauses via a crafted request. The request can leverage third-party Rack middleware or custom Rack middleware to exploit this issue. **Recommendations** For Ruby on Rails versions prior to 3.2.16, update to version 3.2.16 or later. For Ruby on Rails versions 4.x prior to 4.0.2, update to version 4.0.2 or later. As a temporary workaround, consider restricting access to custom Rack middleware and third-party Rack middleware until a patch is applied.