Ruby on Rails fixed three vulnerabilities with their new releases 4.0.3, 3.2.17 and 4.1.0.beta2 that take care of a data injection, cross-site scripting and denial of service issues.
The developers said the vulnerabilities fixed in 3.2.17 have the following identifiers: CVE-2014-0081 and CVE-2014-0082. In Ruby 4.0.3, developers fixed the issues with the CVE-2014-0080 and CVE-2014-0081.
In 4.1.0.beta2, the list of security fixes includes CVE-2014-0080 and CVE-2014-0081.
CVE-2014-0080 is a data injection vulnerability impacting Active Record. The flaw can end up exploited to add data to array columns in PostgreSQL databases.
CVE-2014-0081 refers to a cross-site scripting (XSS) vulnerability in the “number_to_currency,” “number_to_percentage” and “number_to_human” helpers.
CVE-2014-0082 is a denial-of-service (DoS) issue in Action View. The issues has an impact on the text rendering component in Action View.
Users should update their installations as soon as possible.