CVE-2013-2694
published 2014-03-28CVE-2013-2694: Open redirect vulnerability in invite.php in the WP Symposium plugin 13.04 for WordPress allows remote attackers to redirect users to arbitrary web sites and…
PriorityP422medium5.8CVSS 2.0
AVNACMAuNCPIPAN
EPSS
1.99%
78.2th percentile
Open redirect vulnerability in invite.php in the WP Symposium plugin 13.04 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the u parameter.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| activerecord_project | activerecord | >= 3.0.0 < 3.0.19 | 3.0.19 |
| activerecord_project | activerecord | >= 3.1.0 < 3.1.10 | 3.1.10 |
| activerecord_project | activerecord | >= 3.2.0 < 3.2.11 | 3.2.11 |
| activerecord_project | activerecord | >= 4.2.0 < 4.2.7.1 | 4.2.7.1 |
| wpsymposiumpro | wp_symposium | — | — |
CVSS provenance
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:N
ghsa6.4MEDIUM
vendor_redhat6.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
WP Symposium 13.04 invite.php input validation (BID-59045 / SA52925)
vuldb·2026-05-09·CVSS 5.8
CVE-2013-2694 [MEDIUM] WP Symposium 13.04 invite.php input validation (BID-59045 / SA52925)
A vulnerability, which was classified as critical, was found in WP Symposium 13.04. The impacted element is an unknown function of the file invite.php. The manipulation results in improper input validation.
This vulnerability is known as CVE-2013-2694. It is possible to launch the attack remotely. No exploit is available.
GHSA
GHSA-jwf3-jj2g-477v: Open redirect vulnerability in invite
ghsa_unreviewed·2022-05-14
CVE-2013-2694 [MEDIUM] CWE-20 GHSA-jwf3-jj2g-477v: Open redirect vulnerability in invite
Open redirect vulnerability in invite.php in the WP Symposium plugin 13.04 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the u parameter.
GHSA
Moderate severity vulnerability that affects activerecord
ghsa·2018-08-13·CVSS 6.4
[MEDIUM] Moderate severity vulnerability that affects activerecord
Moderate severity vulnerability that affects activerecord
Withdrawn, accidental duplicate publish.
Active Record in Ruby on Rails 4.2.x before 4.2.7.1 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660, CVE-2012-2694, and CVE-2013-0155.
GHSA
Active Record allows bypassing of database-query restrictions
ghsa·2017-10-24·CVSS 6.4
CVE-2013-0155 [MEDIUM] CWE-284 Active Record allows bypassing of database-query restrictions
Active Record allows bypassing of database-query restrictions
Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660 and CVE-2012-2694.
GHSA
ActiveRecord in Ruby on Rails allows database-query bypass
ghsa·2017-10-24·CVSS 6.4
CVE-2016-6317 [MEDIUM] CWE-284 ActiveRecord in Ruby on Rails allows database-query bypass
ActiveRecord in Ruby on Rails allows database-query bypass
Active Record in Ruby on Rails 4.2.x before 4.2.7.1 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660, CVE-2012-2694, and CVE-2013-0155.
Red Hat
rubygem-activerecord: unsafe query generation in Active Record
vendor_redhat·2016-08-11·CVSS 6.4
CVE-2016-6317 [MEDIUM] CWE-20 rubygem-activerecord: unsafe query generation in Active Record
rubygem-activerecord: unsafe query generation in Active Record
Action Record in Ruby on Rails 4.2.x before 4.2.7.1 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660, CVE-2012-2694, and CVE-2013-0155.
A flaw was found in the way Active Record handled certain special values in dynamic finders and relations. If a Ruby on Rails application performed JSON parameter parsing, a remote attacker could possibly manipulate search conditions in SQL queries generated by the application.
Package:
Red Hat
rubygem-activerecord: Unsafe Query Generation Risk in Ruby on Rails
vendor_redhat·2013-01-08·CVSS 6.4
CVE-2013-0155 [MEDIUM] CWE-89 rubygem-activerecord: Unsafe Query Generation Risk in Ruby on Rails
rubygem-activerecord: Unsafe Query Generation Risk in Ruby on Rails
Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660 and CVE-2012-2694.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2014-03-28
Published