---
url: http://www.osvdb.org/show/osvdb/82403
title: Ruby on Rails where Method ActiveRecord Class SQL Injection 

description: > 
  Ruby on Rails (RoR) contains a flaw that may allow an attacker to
  carry out an SQL injection attack. The issue is due to the
  ActiveRecord class not properly sanitizing user-supplied input to
  the 'where' method. This may allow an attacker to inject or
  manipulate SQL queries in an application built on RoR, allowing for
  the manipulation or disclosure of arbitrary data.

cvss_v2: 5.0

patched_versions:
  - ~> 3.0.13
  - ~> 3.1.5
  - ">= 3.2.4"