Ruby on Rails Multiple Vulnerabilities

Multiple vulnerabilities have been identified in Ruby on Rails, which can be exploited by malicious people to conduct cross-site scripting attacks and cause a DoS (Denial of Service).

1. An error when handling keys to a hash in Active Record can be exploited to potentially convert hash keys to symbols and cause a DoS condition.
2. Certain input is not properly sanitised in the "sanitize_css" method in Action Pack before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
3. An error when parsing XML entities via ActiveSupport::XmlMini_JDOM in ActiveSupport can potentially be exploited to e.g. disclose contents of certain local files or cause a DoS condition by sending specially crafted XML data including external entity references. Successful exploitation of this vulnerability requires a JRuby application using the JDOM backend. This vulnerability is reported in versions 3.0.0 and later.
4. The sanitize helper within the HTML module does not properly verify allowed protocols, which can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.