The Authlogic gem for Ruby on Rails, when used with certain versions before 3.2.10, makes potentially unsafe find_by_id method calls, which might allow remote attackers to conduct CVE-2012-6496 SQL injection attacks via a crafted parameter in environments that have a known secret_token value, as demonstrated by a value contained in secret_token.rb in an open-source product.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| authlogic(RubyGems) | 0 | 3.3.0 | N/A |
CVSS Metrics
