Vulnerability Details CVE-2010-3933
Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.007
EPSS Ranking 71.1%
CVSS Severity
CVSS v2 Score 6.4
References
- http://secunia.com/advisories/41930
- http://securitytracker.com/id?1024624
- http://weblog.rubyonrails.org/2010/10/15/security-vulnerability-in-nested-attributes-code-in-ruby-on-rails-2-3-9-and-3-0-0
- http://www.vupen.com/english/advisories/2010/2719
- http://secunia.com/advisories/41930
- http://securitytracker.com/id?1024624
- http://weblog.rubyonrails.org/2010/10/15/security-vulnerability-in-nested-attributes-code-in-ruby-on-rails-2-3-9-and-3-0-0
- http://www.vupen.com/english/advisories/2010/2719
Products affected by CVE-2010-3933
-
cpe:2.3:a:rubyonrails:rails:2.3.9
-
cpe:2.3:a:rubyonrails:rails:3.0.0