in all Ruby on Rails releases has been
disclosed. "Due to the way dynamic finders in Active Record extract
options from method parameters, a method parameter can mistakenly be used
as a scope. Carefully crafted requests can use the scope to inject
" Fixes can be found in the 3.2.10, 3.1.9, and 3.0.18
releases. This seems like a good one to address quickly.
article has a lot more information on this vulnerability.
to post comments)