CVE-2012-0155Code Injection in Microsoft Internet Explorer

CWE-94Code InjectionCWE-89SQL InjectionCWE-284Improper Access ControlCWE-476NULL Pointer DereferenceCWE-20Improper Input Validation11 documents7 sources
Severity
9.3CRITICALNVD
GHSA6.4
EPSS
57.0%
top 1.86%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Activerecord Project ActiverecordMicrosoft Internet Explorer
Timeline
PublishedFeb 14
Latest updateMay 4

Description

Microsoft Internet Explorer 9 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing a deleted object, aka "VML Remote Code Execution Vulnerability."

CVSS vector

AV:N/AC:M/C:C/I:C/A:CExploitability: 8.6 | Impact: 10.0

Affected Packages2 packages

RubyGemsactiverecord_project/activerecord4.2.04.2.7.1+3

Patches

Patch: docs.microsoft.comPatch: docs.microsoft.com

🔴Vulnerability Details

4
GHSA
GHSA-xh3j-g6g3-34w7: Microsoft Internet Explorer 9 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing a delet2022-05-04
GHSA
Moderate severity vulnerability that affects activerecord2018-08-13
GHSA
Active Record allows bypassing of database-query restrictions2017-10-24
GHSA
ActiveRecord in Ruby on Rails allows database-query bypass2017-10-24

📋Vendor Advisories

2
Red Hat
rubygem-activerecord: unsafe query generation in Active Record2016-08-11
Red Hat
rubygem-activerecord: Unsafe Query Generation Risk in Ruby on Rails2013-01-08

🕵️Threat Intelligence

1
Zscaler
Zscaler Protects against Microsoft's Patch Cycle | Round 12

💬Community

2
Bugzilla
CVE-2013-0155 rubygem-activerecord: Unsafe Query Generation Risk in Ruby on Rails2013-01-08
Bugzilla
CVE-2013-0156 rubygem-activesupport: Multiple vulnerabilities in parameter parsing in ActionPack2013-01-08
CVE-2012-0155 — Code Injection in Microsoft | cvebase