Data Injection Vulnerability in Active Record There is a data injection vulnerability in Active Record. Specially crafted strings can be used to save data in PostgreSQL array columns that may not be intended. This vulnerability has been assigned the CVE identifier CVE-2014-0080. Versions Affected: 4.0.x, 4.1.0.beta1 Not affected: 3.2.x and older Fixed Versions: 4.0.3, 4.1.0.beta2 XSS Vulnerability in number_to_currency, number_to_percentage and number_to_human There is an XSS vulnerability in the number_to_currency, number_to_percentage and number_to_human helpers in Ruby on Rails. This vulnerability has been assigned the CVE identifier CVE-2014-0081. Versions Affected: All. Fixed Versions: 4.1.0.beta2, 4.0.3, 3.2.17. Denial of Service Vulnerability in Action View when using render :text There is a denial of service vulnerability in the text rendering component of Action View. This vulnerability has been assigned the CVE identifier CVE-2014-0082. Versions Affected: 3.0.x, 3.1.x, 3.2.x Not affected: 4.0.x Fixed Versions: 3.2.17
Rails 3.2.17 and 4.0.3 are now in the tree. There are no stable versions at the moment.
(In reply to Hans de Graaff from comment #1) > Rails 3.2.17 and 4.0.3 are now in the tree. There are no stable versions at > the moment. Cleanup, please.
Vulnerable versions have been removed.
Maintainer(s), Thank you for cleanup! No GLSA needed as there are no stable versions.