CVE-2010-3933 – activerecord

Package

Manager: gem
Name: activerecord
Vulnerable Version: >=2.3.9 <2.3.10 || >=3.0.0 <3.0.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00712 pctl0.71419

Details

Rails activerecord gem has Improper Input Validation vulnerability Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs.

Metadata

Created: 2017-10-24T18:33:38Z
Modified: 2023-05-26T16:50:51Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-gjxw-5w2q-7grf/GHSA-gjxw-5w2q-7grf.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-gjxw-5w2q-7grf
Finding: F184
Auto approve: 1