Issues - Dalphi/dalphi - Code Climate

Older releases of better_errors open to Cross-Site Request Forgery attack
Open

    better_errors (2.4.0)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2021-39197

Criticality: Medium

URL: https://github.com/BetterErrors/better_errors/security/advisories/GHSA-w3j4-76qw-wwjm

Solution: upgrade to >= 2.8.0

Loofah XSS Vulnerability
Open

    loofah (2.1.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2019-15587

Criticality: Medium

URL: https://github.com/flavorjones/loofah/issues/171

Solution: upgrade to >= 2.3.1

Keepalive thread overload/DoS in puma
Open

    puma (3.11.0)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2019-16770

Criticality: High

URL: https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994

Solution: upgrade to ~> 3.12.2, >= 4.3.1

Possible DoS Vulnerability in Action Controller Token Authentication
Open

    actionpack (5.0.6)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2021-22904

Criticality: High

URL: https://groups.google.com/g/rubyonrails-security/c/Pf1TjkOBdyQ

Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, >= 6.0.3.7, ~> 6.0.3, >= 6.1.3.2

Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
Open

    activesupport (5.0.6)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-8165

Criticality: Critical

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c

Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1

Potential XSS vulnerability in jQuery
Open

    jquery-rails (4.3.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-11023

Criticality: Medium

URL: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released

Solution: upgrade to >= 4.4.0

Possible Strong Parameters Bypass in ActionPack
Open

    actionpack (5.0.6)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-8164

Criticality: High

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY

Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1

Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file
Open

    nokogiri (1.8.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2019-5477

Criticality: Critical

URL: https://github.com/sparklemotion/nokogiri/issues/1915

Solution: upgrade to >= 1.10.4

XML Injection in Xerces Java affects Nokogiri
Open

    nokogiri (1.8.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-23437

Criticality: Medium

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xxx9-3xcr-gjj3

Solution: upgrade to >= 1.13.4

Potential XSS vulnerability in Action View
Open

    actionview (5.0.6)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-15169

Criticality: Medium

URL: https://groups.google.com/g/rubyonrails-security/c/b-C9kSGXYrc

Solution: upgrade to >= 5.2.4.4, ~> 5.2.4, >= 6.0.3.3

Inefficient Regular Expression Complexity in Loofah
Open

    loofah (2.1.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-23514

Criticality: High

URL: https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh

Solution: upgrade to >= 2.19.1

Out-of-bounds Write in zlib affects Nokogiri
Open

    nokogiri (1.8.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2018-25032

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v6gp-9mmm-c6p5

Solution: upgrade to >= 1.13.4

HTTP Response Splitting (Early Hints) in Puma
Open

    puma (3.11.0)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-5249

Criticality: Medium

URL: https://github.com/puma/puma/security/advisories/GHSA-33vf-4xgg-9r58

Solution: upgrade to ~> 3.12.4, >= 4.3.3

ReDoS based DoS vulnerability in Action Dispatch
Open

    actionpack (5.0.6)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2023-22792

URL: https://github.com/rails/rails/releases/tag/v7.0.4.1

Solution: upgrade to >= 5.2.8.15, ~> 5.2.8, >= 6.1.7.1, ~> 6.1.7, >= 7.0.4.1

Inline SVG vulnerable to Cross-site Scripting
Open

    inline_svg (1.3.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-36644

Criticality: Medium

URL: https://github.com/jamesmartin/inline_svg/pull/117

Solution: upgrade to >= 1.7.2

Possible Information Disclosure / Unintended Method Execution in Action Pack
Open

    actionpack (5.0.6)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2021-22885

Criticality: High

URL: https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI

Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, >= 6.0.3.7, ~> 6.0.3, >= 6.1.3.2

Nokogiri gem, via libxslt, is affected by multiple vulnerabilities
Open

    nokogiri (1.8.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2019-13117

URL: https://github.com/sparklemotion/nokogiri/issues/1943

Solution: upgrade to >= 1.10.5

libxml2 2.9.10 has an infinite loop in a certain end-of-file situation
Open

    nokogiri (1.8.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-7595

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/issues/1992

Solution: upgrade to >= 1.10.8

Ability to forge per-form CSRF tokens given a global CSRF token
Open

    actionpack (5.0.6)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-8166

Criticality: Medium

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw

Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1

Improper Handling of Unexpected Data Type in Nokogiri
Open

    nokogiri (1.8.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-29181

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xh29-r2w5-wx8m

Solution: upgrade to >= 1.13.6

Dalphi/dalphi

Showing 1,441 of 1,441 total issues

Older releases of better_errors open to Cross-Site Request Forgery attack
Open

Loofah XSS Vulnerability
Open

Keepalive thread overload/DoS in puma
Open

Possible DoS Vulnerability in Action Controller Token Authentication
Open

Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
Open

Potential XSS vulnerability in jQuery
Open

Possible Strong Parameters Bypass in ActionPack
Open

Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file
Open

XML Injection in Xerces Java affects Nokogiri
Open

Potential XSS vulnerability in Action View
Open

Inefficient Regular Expression Complexity in Loofah
Open

Out-of-bounds Write in zlib affects Nokogiri
Open

HTTP Response Splitting (Early Hints) in Puma
Open

ReDoS based DoS vulnerability in Action Dispatch
Open

Inline SVG vulnerable to Cross-site Scripting
Open

Possible Information Disclosure / Unintended Method Execution in Action Pack
Open

Nokogiri gem, via libxslt, is affected by multiple vulnerabilities
Open

libxml2 2.9.10 has an infinite loop in a certain end-of-file situation
Open

Ability to forge per-form CSRF tokens given a global CSRF token
Open

Improper Handling of Unexpected Data Type in Nokogiri
Open

Severity

Category

Status

Source

Language

Dalphi/dalphi

Showing 1,441 of 1,441 total issues

Older releases of better_errors open to Cross-Site Request Forgery attack Open

Loofah XSS Vulnerability Open

Keepalive thread overload/DoS in puma Open

Possible DoS Vulnerability in Action Controller Token Authentication Open

Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore Open

Potential XSS vulnerability in jQuery Open

Possible Strong Parameters Bypass in ActionPack Open

Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file Open

XML Injection in Xerces Java affects Nokogiri Open

Potential XSS vulnerability in Action View Open

Inefficient Regular Expression Complexity in Loofah Open

Out-of-bounds Write in zlib affects Nokogiri Open

HTTP Response Splitting (Early Hints) in Puma Open

ReDoS based DoS vulnerability in Action Dispatch Open

Inline SVG vulnerable to Cross-site Scripting Open

Possible Information Disclosure / Unintended Method Execution in Action Pack Open

Nokogiri gem, via libxslt, is affected by multiple vulnerabilities Open

libxml2 2.9.10 has an infinite loop in a certain end-of-file situation Open

Ability to forge per-form CSRF tokens given a global CSRF token Open

Improper Handling of Unexpected Data Type in Nokogiri Open

Severity

Category

Status

Source

Language

Older releases of better_errors open to Cross-Site Request Forgery attack
Open

Loofah XSS Vulnerability
Open

Keepalive thread overload/DoS in puma
Open

Possible DoS Vulnerability in Action Controller Token Authentication
Open

Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
Open

Potential XSS vulnerability in jQuery
Open

Possible Strong Parameters Bypass in ActionPack
Open

Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file
Open

XML Injection in Xerces Java affects Nokogiri
Open

Potential XSS vulnerability in Action View
Open

Inefficient Regular Expression Complexity in Loofah
Open

Out-of-bounds Write in zlib affects Nokogiri
Open

HTTP Response Splitting (Early Hints) in Puma
Open

ReDoS based DoS vulnerability in Action Dispatch
Open

Inline SVG vulnerable to Cross-site Scripting
Open

Possible Information Disclosure / Unintended Method Execution in Action Pack
Open

Nokogiri gem, via libxslt, is affected by multiple vulnerabilities
Open

libxml2 2.9.10 has an infinite loop in a certain end-of-file situation
Open

Ability to forge per-form CSRF tokens given a global CSRF token
Open

Improper Handling of Unexpected Data Type in Nokogiri
Open