Gemfile.lock from SMERM/EMUForm

Gemfile.lock

Summary

Maintainability

Test Coverage

Possible RCE escalation bug with Serialized Columns in Active Record
Open

    activerecord (4.2.5)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-32224

Criticality: Critical

URL: https://groups.google.com/g/rubyonrails-security/c/MmFO3LYQE8U

Solution: upgrade to >= 5.2.8.1, ~> 5.2.8, >= 6.0.5.1, ~> 6.0.5, >= 6.1.6.1, ~> 6.1.6, >= 7.0.3.1

Possible DoS Vulnerability in Active Record PostgreSQL adapter
Open

    activerecord (4.2.5)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2021-22880

Criticality: Medium

URL: https://groups.google.com/g/rubyonrails-security/c/ZzUqCh9vyhI

Solution: upgrade to >= 5.2.4.5, ~> 5.2.4, >= 6.0.3.5, ~> 6.0.3, >= 6.1.2.1

json Gem for Ruby Unsafe Object Creation Vulnerability (additional fix)
Open

    json (1.8.3)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-10663

Criticality: High

URL: https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/

Solution: upgrade to >= 2.3.0

Denial of Service Vulnerability in ActiveRecord’s PostgreSQL adapter
Open

    activerecord (4.2.5)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-44566

URL: https://github.com/rails/rails/releases/tag/v7.0.4.1

Solution: upgrade to >= 5.2.8.15, ~> 5.2.8, >= 6.1.7.1, ~> 6.1.7, >= 7.0.4.1

Directory traversal in Rack::Directory app bundled with Rack
Open

    rack (1.6.4)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-8161

Criticality: High

URL: https://groups.google.com/forum/#!topic/ruby-security-ann/T4ZIsfRf2eA

Solution: upgrade to ~> 2.1.3, >= 2.2.0

Possible Strong Parameters Bypass in ActionPack
Open

    actionpack (4.2.5)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-8164

Criticality: High

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY

Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1

Possible XSS vulnerability in ActionView
Open

    actionview (4.2.5)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-5267

Criticality: Medium

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8

Solution: upgrade to >= 5.2.4.2, ~> 5.2.4, >= 6.0.2.2

CSRF vulnerability in OmniAuth's request phase
Open

    omniauth (1.3.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2015-9284

Criticality: High

URL: https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284

Solution: upgrade to >= 2.0.0

Denial of service via header parsing in Rack
Open

    rack (1.6.4)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-44570

URL: https://github.com/rack/rack/releases/tag/v3.0.4.1

Solution: upgrade to >= 2.0.9.2, ~> 2.0.9, >= 2.1.4.2, ~> 2.1.4, >= 2.2.6.2, ~> 2.2.6, >= 3.0.4.1

Possible DoS Vulnerability in Action Controller Token Authentication
Open

    actionpack (4.2.5)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2021-22904

Criticality: High

URL: https://groups.google.com/g/rubyonrails-security/c/Pf1TjkOBdyQ

Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, >= 6.0.3.7, ~> 6.0.3, >= 6.1.3.2

ReDoS based DoS vulnerability in Action Dispatch
Open

    actionpack (4.2.5)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2023-22792

URL: https://github.com/rails/rails/releases/tag/v7.0.4.1

Solution: upgrade to >= 5.2.8.15, ~> 5.2.8, >= 6.1.7.1, ~> 6.1.7, >= 7.0.4.1

Code Injection vulnerability in CarrierWave::RMagick
Open

    carrierwave (0.10.0)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2021-21305

Criticality: High

URL: https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-cf3w-g86h-35x4

Solution: upgrade to ~> 1.3.2, >= 2.1.1

Devise Gem for Ruby Time-of-check Time-of-use race condition with lockable module
Open

    devise (3.5.5)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2019-5421

Criticality: Critical

URL: https://github.com/plataformatec/devise/issues/4981

Solution: upgrade to >= 4.6.0

ReDoS based DoS vulnerability in Action Dispatch
Open

    actionpack (4.2.5)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2023-22795

URL: https://github.com/rails/rails/releases/tag/v7.0.4.1

Solution: upgrade to >= 5.2.8.15, ~> 5.2.8, >= 6.1.7.1, ~> 6.1.7, >= 7.0.4.1

Denial of Service Vulnerability in Rack Content-Disposition parsing
Open

    rack (1.6.4)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-44571

URL: https://github.com/rack/rack/releases/tag/v3.0.4.1

Solution: upgrade to >= 2.0.9.2, ~> 2.0.9, >= 2.1.4.2, ~> 2.1.4, >= 2.2.6.1, ~> 2.2.6, >= 3.0.4.1

OS Command Injection in Rake
Open

    rake (10.5.0)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-8130

Criticality: High

URL: https://github.com/advisories/GHSA-jppv-gw3r-w3q8

Solution: upgrade to >= 12.3.3

CSRF Vulnerability in rails-ujs
Open

    actionview (4.2.5)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-8167

Criticality: Medium

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0

Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1

XSS Vulnerability on closeText option of Dialog jQuery UI
Open

    jquery-ui-rails (5.0.5)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2016-7103

Criticality: Medium

URL: https://github.com/jquery/api.jqueryui.com/issues/281

Solution: upgrade to >= 6.0.0

Cross-Site Scripting in Kaminari via `original_script_name` parameter
Open

    kaminari (0.16.3)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-11082

Criticality: Medium

URL: https://github.com/kaminari/kaminari/security/advisories/GHSA-r5jw-62xg-j433

Solution: upgrade to >= 1.2.1

Denial of service via multipart parsing in Rack
Open

    rack (1.6.4)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-44572

URL: https://github.com/rack/rack/releases/tag/v3.0.4.1

Solution: upgrade to >= 2.0.9.2, ~> 2.0.9, >= 2.1.4.2, ~> 2.1.4, >= 2.2.6.1, ~> 2.2.6, >= 3.0.4.1

Devise Gem for Ruby confirmation token validation with a blank string
Open

    devise (3.5.5)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2019-16109

Criticality: Medium

URL: https://github.com/plataformatec/devise/issues/5071

Solution: upgrade to >= 4.7.1

Percent-encoded cookies can be used to overwrite existing prefixed cookie names
Open

    rack (1.6.4)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-8184

Criticality: High

URL: https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak

Solution: upgrade to ~> 2.1.4, >= 2.2.3

Denial of Service Vulnerability in Rack Multipart Parsing
Open

    rack (1.6.4)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-30122

Criticality: High

URL: https://groups.google.com/g/ruby-security-ann/c/L2Axto442qk

Solution: upgrade to >= 2.0.9.1, ~> 2.0.9, >= 2.1.4.1, ~> 2.1.4, >= 2.2.3.1

Possible shell escape sequence injection vulnerability in Rack
Open

    rack (1.6.4)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-30123

Criticality: Critical

URL: https://groups.google.com/g/ruby-security-ann/c/LWB10kWzag8

Solution: upgrade to >= 2.0.9.1, ~> 2.0.9, >= 2.1.4.1, ~> 2.1.4, >= 2.2.3.1

Possible XSS Vulnerability in Action View tag helpers
Open

    actionview (4.2.5)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-27777

Criticality: Medium

URL: https://groups.google.com/g/ruby-security-ann/c/9wJPEDv-iRw

Solution: upgrade to >= 5.2.7.1, ~> 5.2.7, >= 6.0.4.8, ~> 6.0.4, >= 6.1.5.1, ~> 6.1.5, >= 7.0.2.4

ReDoS based DoS vulnerability in Active Support’s underscore
Open

    activesupport (4.2.5)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2023-22796

URL: https://github.com/rails/rails/releases/tag/v7.0.4.1

Solution: upgrade to >= 5.2.8.15, ~> 5.2.8, >= 6.1.7.1, ~> 6.1.7, >= 7.0.4.1

ReDoS based DoS vulnerability in GlobalID
Open

    globalid (0.3.6)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2023-22799

URL: https://github.com/rails/globalid/releases/tag/v1.0.1

Solution: upgrade to >= 1.0.1

Potential XSS vulnerability in Action View
Open

    actionview (4.2.5)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-15169

Criticality: Medium

URL: https://groups.google.com/g/rubyonrails-security/c/b-C9kSGXYrc

Solution: upgrade to >= 5.2.4.4, ~> 5.2.4, >= 6.0.3.3

Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
Open

    activesupport (4.2.5)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-8165

Criticality: Critical

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c

Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1

Server-side request forgery in CarrierWave
Open

    carrierwave (0.10.0)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2021-21288

Criticality: Medium

URL: https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-fwcm-636p-68r5

Solution: upgrade to ~> 1.3.2, >= 2.1.1

RDoc OS command injection vulnerability
Open

    rdoc (4.2.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2021-31799

Criticality: High

URL: https://www.ruby-lang.org/en/news/2021/05/02/os-command-injection-in-rdoc/

Solution: upgrade to ~> 6.1.2.1, ~> 6.2.1.1, >= 6.3.1

Possible Information Disclosure / Unintended Method Execution in Action Pack
Open

    actionpack (4.2.5)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2021-22885

Criticality: High

URL: https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI

Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, >= 6.0.3.7, ~> 6.0.3, >= 6.1.3.2

Ability to forge per-form CSRF tokens given a global CSRF token
Open

    actionpack (4.2.5)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-8166

Criticality: Medium

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw

Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1

Potential XSS vulnerability in jQuery
Open

    jquery-rails (4.1.0)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-11023

Criticality: Medium

URL: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released

Solution: upgrade to >= 4.4.0

Insecure Source URI found: git://github.com/gregbell/active_admin.git
Open

  remote: git://github.com/gregbell/active_admin.git

Found in Gemfile.lock by bundler-audit

Exclude checks
- Disable engine
- Disable check

Nokogiri gem, via libxml, is affected by DoS vulnerabilities
Open

    nokogiri (1.6.7.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2017-15412

URL: https://github.com/sparklemotion/nokogiri/issues/1714

Solution: upgrade to >= 1.8.2

Possible XSS vulnerability with certain configurations of rails-html-sanitizer
Open

    rails-html-sanitizer (1.0.2)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-23519

Criticality: Medium

URL: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-9h9g-93gc-623h

Solution: upgrade to >= 1.4.4

Nokogiri gem, via libxml, is affected by DoS vulnerabilities
Open

    nokogiri (1.6.7.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2017-16932

URL: https://github.com/sparklemotion/nokogiri/issues/1714

Solution: upgrade to >= 1.8.1

Moderate severity vulnerability that affects nokogiri
Open

    nokogiri (1.6.7.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2017-18258

Criticality: Medium

URL: https://git.gnome.org/browse/libxml2/commit/?id=e2a9122b8dde53d320750451e9907a7dcb2ca8bb

Solution: upgrade to >= 1.8.2

Improper Certificate Validation in oauth ruby gem
Open

    oauth (0.4.7)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2016-11086

Criticality: High

URL: https://github.com/advisories/GHSA-7359-3c6r-hfc2

Solution: upgrade to >= 0.5.5

Denial of Service in rubyzip ("zip bombs")
Open

    rubyzip (1.2.0)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2019-16892

Criticality: Medium

URL: https://github.com/rubyzip/rubyzip/pull/403

Solution: upgrade to >= 1.3.0

Loofah XSS Vulnerability
Open

    loofah (2.0.3)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2018-8048

Criticality: Medium

URL: https://github.com/flavorjones/loofah/issues/144

Solution: upgrade to >= 2.2.1

Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29
Open

    nokogiri (1.6.7.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2017-5029

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/issues/1634

Solution: upgrade to >= 1.7.2

Possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer
Open

    rails-html-sanitizer (1.0.2)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-32209

Criticality: Medium

URL: https://groups.google.com/g/rubyonrails-security/c/ce9PhUANQ6s

Solution: upgrade to >= 1.4.3

Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file
Open

    nokogiri (1.6.7.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2019-5477

Criticality: Critical

URL: https://github.com/sparklemotion/nokogiri/issues/1915

Solution: upgrade to >= 1.10.4

Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability
Open

    nokogiri (1.6.7.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-26247

Criticality: Low

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m

Solution: upgrade to >= 1.11.0.rc4

Out-of-bounds Write in zlib affects Nokogiri
Open

    nokogiri (1.6.7.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2018-25032

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v6gp-9mmm-c6p5

Solution: upgrade to >= 1.13.4

Nokogiri gem, via libxslt, is affected by improper access control vulnerability
Open

    nokogiri (1.6.7.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2019-11068

URL: https://github.com/sparklemotion/nokogiri/issues/1892

Solution: upgrade to >= 1.10.3

Prototype pollution attack through jQuery $.extend
Open

    jquery-rails (4.1.0)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2019-11358

Criticality: Medium

URL: https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/

Solution: upgrade to >= 4.3.4

Inefficient Regular Expression Complexity in Nokogiri
Open

    nokogiri (1.6.7.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-24836

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5-ghw8

Solution: upgrade to >= 1.13.4

Inefficient Regular Expression Complexity in Loofah
Open

    loofah (2.0.3)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-23514

Criticality: High

URL: https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh

Solution: upgrade to >= 2.19.1

Loofah XSS Vulnerability
Open

    loofah (2.0.3)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2018-16468

Criticality: Medium

URL: https://github.com/flavorjones/loofah/issues/154

Solution: upgrade to >= 2.2.3

Nokogiri gem contains several vulnerabilities in libxml2 and libxslt
Open

    nokogiri (1.6.7.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2016-4658

Criticality: Critical

URL: https://github.com/sparklemotion/nokogiri/issues/1615

Solution: upgrade to >= 1.7.1

Path Traversal in Sprockets
Open

    sprockets (3.5.2)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2018-3760

Criticality: High

URL: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k

Solution: upgrade to < 3.0.0, >= 2.12.5, < 4.0.0, >= 3.7.2, >= 4.0.0.beta8

Possible XSS vulnerability with certain configurations of rails-html-sanitizer
Open

    rails-html-sanitizer (1.0.2)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-23520

Criticality: Medium

URL: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rrfc-7g8p-99q8

Solution: upgrade to >= 1.4.4

Update packaged dependency libxml2 from 2.9.10 to 2.9.12
Open

    nokogiri (1.6.7.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory:

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-7rrm-v45f-jp64

Solution: upgrade to >= 1.11.4

Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities
Open

    nokogiri (1.6.7.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2017-9050

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/issues/1673

Solution: upgrade to >= 1.8.1

Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
Open

    nokogiri (1.6.7.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2018-14404

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/issues/1785

Solution: upgrade to >= 1.8.5

Update bundled libxml2 to v2.10.3 to resolve multiple CVEs
Open

    nokogiri (1.6.7.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory:

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2qc6-mcvw-92cw

Solution: upgrade to >= 1.13.9

Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby
Open

    nokogiri (1.6.7.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2021-41098

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2rr5-8q37-2w7h

Solution: upgrade to >= 1.12.5

OmniAuth's `lib/omniauth/failure_endpoint.rb` does not escape `message_key` value
Open

    omniauth (1.3.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-36599

Criticality: Critical

URL: https://github.com/omniauth/omniauth/commit/43a396f181ef7d0ed2ec8291c939c95e3ed3ff00#diff-575abda9deb9b1a77bf534e898a923029b9a61e991d626db88dc6e8b34260aa2

Solution: upgrade to ~> 1.9.2, >= 2.0.0

Integer Overflow or Wraparound in libxml2 affects Nokogiri
Open

    nokogiri (1.6.7.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory:

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-cgx6-hpwq-fhv5

Solution: upgrade to >= 1.13.5

libxml2 2.9.10 has an infinite loop in a certain end-of-file situation
Open

    nokogiri (1.6.7.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-7595

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/issues/1992

Solution: upgrade to >= 1.10.8

Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35)
Open

    nokogiri (1.6.7.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2021-30560

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-fq42-c5rg-92c2

Solution: upgrade to >= 1.13.2

Improper Handling of Unexpected Data Type in Nokogiri
Open

    nokogiri (1.6.7.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-29181

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xh29-r2w5-wx8m

Solution: upgrade to >= 1.13.6

Revert libxml2 behavior in Nokogiri gem that could cause XSS
Open

    nokogiri (1.6.7.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2018-8048

URL: https://github.com/sparklemotion/nokogiri/pull/1746

Solution: upgrade to >= 1.8.3

Inefficient Regular Expression Complexity in rails-html-sanitizer
Open

    rails-html-sanitizer (1.0.2)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-23517

Criticality: High

URL: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-5x79-w82f-gw8w

Solution: upgrade to >= 1.4.4

Regular Expression Denial of Service in Addressable templates
Open

    addressable (2.4.0)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2021-32740

Criticality: High

URL: https://github.com/advisories/GHSA-jxhc-q857-3j6g

Solution: upgrade to >= 2.8.0

Loofah XSS Vulnerability
Open

    loofah (2.0.3)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2019-15587

Criticality: Medium

URL: https://github.com/flavorjones/loofah/issues/171

Solution: upgrade to >= 2.3.1

XML Injection in Xerces Java affects Nokogiri
Open

    nokogiri (1.6.7.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-23437

Criticality: Medium

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xxx9-3xcr-gjj3

Solution: upgrade to >= 1.13.4

i18n Gem for Ruby lib/i18n/core_ext/hash.rb Hash#slice() Function Hash Handling DoS
Open

    i18n (0.7.0)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2014-10077

URL: https://github.com/svenfuchs/i18n/pull/289

Solution: upgrade to >= 0.8.0

Nokogiri gem, via libxslt, is affected by multiple vulnerabilities
Open

    nokogiri (1.6.7.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2019-13117

URL: https://github.com/sparklemotion/nokogiri/issues/1943

Solution: upgrade to >= 1.10.5

Denial of Service (DoS) in Nokogiri on JRuby
Open

    nokogiri (1.6.7.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-24839

Criticality: High

URL: https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv

Solution: upgrade to >= 1.13.4

Denial of service or RCE from libxml2 and libxslt
Open

    nokogiri (1.6.7.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2015-8806

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/issues/1473

Solution: upgrade to >= 1.6.8

Directory traversal vulnerability in rubyzip
Open

    rubyzip (1.2.0)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2017-5946

Criticality: Critical

URL: https://github.com/rubyzip/rubyzip/issues/315

Solution: upgrade to >= 1.2.1

File Content Disclosure in Action View
Open

    actionview (4.2.5)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2019-5418

Criticality: High

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q

Solution: upgrade to >= 4.2.11.1, ~> 4.2.11, >= 5.0.7.2, ~> 5.0.7, >= 5.1.6.2, ~> 5.1.6, >= 5.2.2.1, ~> 5.2.2, >= 6.0.0.beta3

Possible XSS Vulnerability in Action View
Open

    actionview (4.2.5)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2016-6316

Criticality: Medium

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/I-VWr034ouk

Solution: upgrade to ~> 4.2.7.1, ~> 4.2.8, >= 5.0.0.1

Denial of Service Vulnerability in Action View
Open

    actionview (4.2.5)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2019-5419

Criticality: High

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI

Solution: upgrade to >= 6.0.0.beta3, >= 5.2.2.1, ~> 5.2.2, >= 5.1.6.2, ~> 5.1.6, >= 5.0.7.2, ~> 5.0.7, >= 4.2.11.1, ~> 4.2.11

omniauth leaks authenticity token in callback params
Open

    omniauth (1.3.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2017-18076

Criticality: High

URL: https://github.com/omniauth/omniauth/pull/867

Solution: upgrade to >= 1.3.2

ruby-ffi DDL loading issue on Windows OS
Open

    ffi (1.9.10)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2018-1000201

Criticality: High

URL: https://github.com/ffi/ffi/releases/tag/1.9.24

Solution: upgrade to >= 1.9.24

Possible information leak / session hijack vulnerability
Open

    rack (1.6.4)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2019-16782

Criticality: Medium

URL: https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3

Solution: upgrade to ~> 1.6.12, >= 2.0.8

XSS vulnerability in rails-html-sanitizer
Open

    rails-html-sanitizer (1.0.2)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2018-3741

URL: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ

Solution: upgrade to >= 1.0.4

Possible XSS vulnerability in rails-html-sanitizer
Open

    rails-html-sanitizer (1.0.2)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2015-7578

Criticality: Medium

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/uh--W4TDwmI

Solution: upgrade to >= 1.0.3

Directory Traversal in rubyzip
Open

    rubyzip (1.2.0)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2018-1000544

Criticality: Critical

URL: https://github.com/rubyzip/rubyzip/issues/369

Solution: upgrade to >= 1.2.2

Potential remote code execution of user-provided local names in ActionView
Open

    actionview (4.2.5)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-8163

Criticality: High

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/hWuKcHyoKh0

Solution: upgrade to >= 4.2.11.2

TZInfo relative path traversal vulnerability allows loading of arbitrary files
Open

    tzinfo (1.2.2)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-31163

Criticality: High

URL: https://github.com/tzinfo/tzinfo/security/advisories/GHSA-5cm2-9h8c-rvfx

Solution: upgrade to ~> 0.3.61, >= 1.2.10

Unsafe Query Generation Risk in Active Record
Open

    activerecord (4.2.5)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2016-6317

Criticality: High

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/rgO20zYW33s

Solution: upgrade to >= 4.2.7.1

Possible XSS vulnerability in rails-html-sanitizer
Open

    rails-html-sanitizer (1.0.2)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2015-7580

Criticality: Medium

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/uh--W4TDwmI

Solution: upgrade to >= 1.0.3

Broken Access Control vulnerability in Active Job
Open

    activejob (4.2.5)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2018-16476

Criticality: High

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw

Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, ~> 5.1.7, >= 5.2.1.1

Possible XSS vulnerability in Rack
Open

    rack (1.6.4)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2018-16471

URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o

Solution: upgrade to ~> 1.6.11, >= 2.0.6

rails-html-sanitizer 1.0.2 is vulnerable (CVE-2015-7579). Upgrade to 1.0.3
Open

    rails (4.2.5)

Found in Gemfile.lock by brakeman

Read up
Read up
Exclude checks
- Disable engine
- Disable check

rails-html-sanitizer 1.0.2 is vulnerable (CVE-2015-7578). Upgrade to 1.0.3
Open

    rails-html-sanitizer (1.0.2)

Found in Gemfile.lock by brakeman

Read up
Read up
Exclude checks
- Disable engine
- Disable check

rails-html-sanitizer 1.0.2 is vulnerable (CVE-2018-3741). Upgrade to 1.0.4
Open

    rails-html-sanitizer (1.0.2)

Found in Gemfile.lock by brakeman

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Loofah 2.0.3 is vulnerable (CVE-2018-8048). Upgrade to 2.1.2
Open

    loofah (2.0.3)

Found in Gemfile.lock by brakeman

Read up
Read up
Exclude checks
- Disable engine
- Disable check

rails-html-sanitizer 1.0.2 is vulnerable (CVE-2015-7580). Upgrade to 1.0.3
Open

    rails-html-sanitizer (1.0.2)

Found in Gemfile.lock by brakeman

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Rails 4.2.5 contains a SQL injection vulnerability (CVE-2016-6317). Upgrade to 4.2.7.1
Open

    rails (4.2.5)

Found in Gemfile.lock by brakeman

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Rails 4.2.5 is vulnerable to denial of service via mime type caching (CVE-2016-0751). Upgrade to Rails version 4.2.5.1
Open

    rails (4.2.5)

Found in Gemfile.lock by brakeman

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Rails 4.2.5 content_tag does not escape double quotes in attribute values (CVE-2016-6316). Upgrade to 4.2.7.1
Open

    rails (4.2.5)

Found in Gemfile.lock by brakeman

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Possible remote code execution vulnerability in Action Pack
Open

    actionpack (4.2.5)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2016-2098

Criticality: High

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/ly-IH-fxr_Q

Solution: upgrade to ~> 3.2.22.2, >= 4.2.5.2, ~> 4.2.5, >= 4.1.14.2, ~> 4.1.14

Nested attributes rejection proc bypass in Active Record
Open

    activerecord (4.2.5)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2015-7577

Criticality: Medium

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/cawsWcQ6c8g

Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1

Nokogiri gem contains a heap-based buffer overflow vulnerability in libxml2
Open

    nokogiri (1.6.7.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2015-7499

Criticality: Medium

URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dy7YiKb_pMM

Solution: upgrade to >= 1.6.7.2

Possible Object Leak and Denial of Service attack in Action Pack
Open

    actionpack (4.2.5)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2016-0751

Criticality: High

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/9oLY_FCzvoc

Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1

Timing attack vulnerability in basic authentication in Action Controller.
Open

    actionpack (4.2.5)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2015-7576

Criticality: Low

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/ANv0HDHEC3k

Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1

Possible Input Validation Circumvention in Active Model
Open

    activemodel (4.2.5)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2016-0753

Criticality: Medium

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/6jQVC1geukQ

Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14

Object leak vulnerability for wildcard controller routes in Action Pack
Open

    actionpack (4.2.5)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2015-7581

Criticality: High

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/dthJ5wL69JE

Solution: upgrade to >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14

Possible Information Leak Vulnerability in Action View
Open

    actionview (4.2.5)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2016-0752

Criticality: High

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00

Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14

SMERM/EMUForm

Summary

Maintainability

Test Coverage

Possible RCE escalation bug with Serialized Columns in Active Record Open

Possible DoS Vulnerability in Active Record PostgreSQL adapter Open

json Gem for Ruby Unsafe Object Creation Vulnerability (additional fix) Open

Denial of Service Vulnerability in ActiveRecord’s PostgreSQL adapter Open

Directory traversal in Rack::Directory app bundled with Rack Open

Possible Strong Parameters Bypass in ActionPack Open

Possible XSS vulnerability in ActionView Open

CSRF vulnerability in OmniAuth's request phase Open

Denial of service via header parsing in Rack Open

Possible DoS Vulnerability in Action Controller Token Authentication Open

ReDoS based DoS vulnerability in Action Dispatch Open

Code Injection vulnerability in CarrierWave::RMagick Open

Devise Gem for Ruby Time-of-check Time-of-use race condition with lockable module Open

ReDoS based DoS vulnerability in Action Dispatch Open

Denial of Service Vulnerability in Rack Content-Disposition parsing Open

OS Command Injection in Rake Open

CSRF Vulnerability in rails-ujs Open

XSS Vulnerability on closeText option of Dialog jQuery UI Open

Cross-Site Scripting in Kaminari via original_script_name parameter Open

Denial of service via multipart parsing in Rack Open

Devise Gem for Ruby confirmation token validation with a blank string Open

Percent-encoded cookies can be used to overwrite existing prefixed cookie names Open

Denial of Service Vulnerability in Rack Multipart Parsing Open

Possible shell escape sequence injection vulnerability in Rack Open

Possible XSS Vulnerability in Action View tag helpers Open

ReDoS based DoS vulnerability in Active Support’s underscore Open

ReDoS based DoS vulnerability in GlobalID Open

Potential XSS vulnerability in Action View Open

Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore Open

Server-side request forgery in CarrierWave Open

RDoc OS command injection vulnerability Open

Possible Information Disclosure / Unintended Method Execution in Action Pack Open

Ability to forge per-form CSRF tokens given a global CSRF token Open

Potential XSS vulnerability in jQuery Open

Insecure Source URI found: git://github.com/gregbell/active_admin.git Open

Nokogiri gem, via libxml, is affected by DoS vulnerabilities Open

Possible XSS vulnerability with certain configurations of rails-html-sanitizer Open

Nokogiri gem, via libxml, is affected by DoS vulnerabilities Open

Moderate severity vulnerability that affects nokogiri Open

Improper Certificate Validation in oauth ruby gem Open

Denial of Service in rubyzip ("zip bombs") Open

Loofah XSS Vulnerability Open

Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29 Open

Possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer Open

Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file Open

Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability Open

Out-of-bounds Write in zlib affects Nokogiri Open

Nokogiri gem, via libxslt, is affected by improper access control vulnerability Open

Prototype pollution attack through jQuery $.extend Open

Inefficient Regular Expression Complexity in Nokogiri Open

Inefficient Regular Expression Complexity in Loofah Open

Loofah XSS Vulnerability Open

Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Open

Path Traversal in Sprockets Open

Possible XSS vulnerability with certain configurations of rails-html-sanitizer Open

Update packaged dependency libxml2 from 2.9.10 to 2.9.12 Open

Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities Open

Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Open

Update bundled libxml2 to v2.10.3 to resolve multiple CVEs Open

Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby Open

OmniAuth's lib/omniauth/failure_endpoint.rb does not escape message_key value Open

Integer Overflow or Wraparound in libxml2 affects Nokogiri Open

libxml2 2.9.10 has an infinite loop in a certain end-of-file situation Open

Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35) Open

Improper Handling of Unexpected Data Type in Nokogiri Open

Revert libxml2 behavior in Nokogiri gem that could cause XSS Open

Inefficient Regular Expression Complexity in rails-html-sanitizer Open

Regular Expression Denial of Service in Addressable templates Open

Loofah XSS Vulnerability Open

XML Injection in Xerces Java affects Nokogiri Open

i18n Gem for Ruby lib/i18n/core_ext/hash.rb Hash#slice() Function Hash Handling DoS Open

Nokogiri gem, via libxslt, is affected by multiple vulnerabilities Open

Denial of Service (DoS) in Nokogiri on JRuby Open

Denial of service or RCE from libxml2 and libxslt Open

Directory traversal vulnerability in rubyzip Open

File Content Disclosure in Action View Open

Possible RCE escalation bug with Serialized Columns in Active Record
Open

Possible DoS Vulnerability in Active Record PostgreSQL adapter
Open

json Gem for Ruby Unsafe Object Creation Vulnerability (additional fix)
Open

Denial of Service Vulnerability in ActiveRecord’s PostgreSQL adapter
Open

Directory traversal in Rack::Directory app bundled with Rack
Open

Possible Strong Parameters Bypass in ActionPack
Open

Possible XSS vulnerability in ActionView
Open

CSRF vulnerability in OmniAuth's request phase
Open

Denial of service via header parsing in Rack
Open

Possible DoS Vulnerability in Action Controller Token Authentication
Open

ReDoS based DoS vulnerability in Action Dispatch
Open

Code Injection vulnerability in CarrierWave::RMagick
Open

Devise Gem for Ruby Time-of-check Time-of-use race condition with lockable module
Open

ReDoS based DoS vulnerability in Action Dispatch
Open

Denial of Service Vulnerability in Rack Content-Disposition parsing
Open

OS Command Injection in Rake
Open

CSRF Vulnerability in rails-ujs
Open

XSS Vulnerability on closeText option of Dialog jQuery UI
Open

Cross-Site Scripting in Kaminari via `original_script_name` parameter
Open

Denial of service via multipart parsing in Rack
Open

Devise Gem for Ruby confirmation token validation with a blank string
Open

Percent-encoded cookies can be used to overwrite existing prefixed cookie names
Open

Denial of Service Vulnerability in Rack Multipart Parsing
Open

Possible shell escape sequence injection vulnerability in Rack
Open

Possible XSS Vulnerability in Action View tag helpers
Open

ReDoS based DoS vulnerability in Active Support’s underscore
Open

ReDoS based DoS vulnerability in GlobalID
Open

Potential XSS vulnerability in Action View
Open

Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
Open

Server-side request forgery in CarrierWave
Open

RDoc OS command injection vulnerability
Open

Possible Information Disclosure / Unintended Method Execution in Action Pack
Open

Ability to forge per-form CSRF tokens given a global CSRF token
Open

Potential XSS vulnerability in jQuery
Open

Insecure Source URI found: git://github.com/gregbell/active_admin.git
Open

Nokogiri gem, via libxml, is affected by DoS vulnerabilities
Open

Possible XSS vulnerability with certain configurations of rails-html-sanitizer
Open

Nokogiri gem, via libxml, is affected by DoS vulnerabilities
Open

Moderate severity vulnerability that affects nokogiri
Open

Improper Certificate Validation in oauth ruby gem
Open

Denial of Service in rubyzip ("zip bombs")
Open

Loofah XSS Vulnerability
Open

Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29
Open

Possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer
Open

Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file
Open

Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability
Open

Out-of-bounds Write in zlib affects Nokogiri
Open

Nokogiri gem, via libxslt, is affected by improper access control vulnerability
Open

Prototype pollution attack through jQuery $.extend
Open

Inefficient Regular Expression Complexity in Nokogiri
Open

Inefficient Regular Expression Complexity in Loofah
Open

Loofah XSS Vulnerability
Open

Nokogiri gem contains several vulnerabilities in libxml2 and libxslt
Open

Path Traversal in Sprockets
Open

Possible XSS vulnerability with certain configurations of rails-html-sanitizer
Open

Update packaged dependency libxml2 from 2.9.10 to 2.9.12
Open

Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities
Open

Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
Open

Update bundled libxml2 to v2.10.3 to resolve multiple CVEs
Open

Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby
Open

OmniAuth's `lib/omniauth/failure_endpoint.rb` does not escape `message_key` value
Open

Integer Overflow or Wraparound in libxml2 affects Nokogiri
Open

libxml2 2.9.10 has an infinite loop in a certain end-of-file situation
Open

Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35)
Open

Improper Handling of Unexpected Data Type in Nokogiri
Open

Revert libxml2 behavior in Nokogiri gem that could cause XSS
Open

Inefficient Regular Expression Complexity in rails-html-sanitizer
Open

Regular Expression Denial of Service in Addressable templates
Open

Loofah XSS Vulnerability
Open

XML Injection in Xerces Java affects Nokogiri
Open

i18n Gem for Ruby lib/i18n/core_ext/hash.rb Hash#slice() Function Hash Handling DoS
Open

Nokogiri gem, via libxslt, is affected by multiple vulnerabilities
Open

Denial of Service (DoS) in Nokogiri on JRuby
Open

Denial of service or RCE from libxml2 and libxslt
Open

Directory traversal vulnerability in rubyzip
Open

File Content Disclosure in Action View
Open

Possible XSS Vulnerability in Action View
Open

Denial of Service Vulnerability in Action View
Open

omniauth leaks authenticity token in callback params
Open

ruby-ffi DDL loading issue on Windows OS
Open