PT-2010-5174 · Ruby+1 · Ruby On Rails+1

Publicado

2010-10-27

Atualizado

2019-08-08

CVE-2010-3933

CVSS v2.0

6.4

Média

Vetor

AV:N/AC:L/Au:N/C:N/I:P/A:P

Name of the Vulnerable Software and Affected Versions Ruby on Rails versions 2.3.9 through 3.0.0

Description The issue allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs, due to improper handling of nested attributes.

Recommendations For versions 2.3.9 and 3.0.0, consider restricting access to the affected parameters until a proper fix is applied, or apply configuration changes to handle nested attributes correctly. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

RCE

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-20

Identificadores relacionados

CVE-2010-3933

GHSA-GJXW-5W2Q-7GRF

SUSE-SU-2012_0434-1

Produtos afetados

Ruby On Rails

Suse

PT-2010-5174 · Ruby+1 · Ruby On Rails+1

CVE-2010-3933

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 13