CVE-2010-3933
Ruby on Rails 2.3.9 and 3.0.0 - Arbitrary Record Modification via Nested Attributes Parameter Manipulation
Title source: llmDescription
Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs.
References (4)
Core 4
Core References
Vendor Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2010/2719
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/41930
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://securitytracker.com/id?1024624
Vendor Advisory x_refsource_confirm
http://weblog.rubyonrails.org/2010/10/15/security-vulnerability-in-nested-attributes-code-in-ruby-on-rails-2-3-9-and-3-0-0
Scores
EPSS
0.0071
EPSS Percentile
72.5%
Details
CWE
CWE-20
Status
published
Products (3)
rubygems/activerecord
2.3.9 - 2.3.10RubyGems
rubyonrails/rails
2.3.9
rubyonrails/rails
3.0.0
Published
Oct 28, 2010
Tracked Since
Feb 18, 2026