Gemfile.lock
GEM remote: https://rubygems.org/ specs: actioncable (5.2.3) actionpack (= 5.2.3) nio4r (~> 2.0) websocket-driver (>= 0.6.1) actionmailer (5.2.3) actionpack (= 5.2.3) actionview (= 5.2.3) activejob (= 5.2.3) mail (~> 2.5, >= 2.5.4) rails-dom-testing (~> 2.0)Ability to forge per-form CSRF tokens given a global CSRF token
Possible XSS Vulnerability in Action Pack
Possible Strong Parameters Bypass in ActionPack
Possible exposure of information vulnerability in Action Pack
ReDoS based DoS vulnerability in Action Dispatch
Possible DoS Vulnerability in Action Controller Token Authentication
Possible Information Disclosure / Unintended Method Execution in Action Pack actionpack (5.2.3) actionview (= 5.2.3) activesupport (= 5.2.3) rack (~> 2.0) rack-test (>= 0.6.3) rails-dom-testing (~> 2.0) rails-html-sanitizer (~> 1.0, >= 1.0.2)Potential XSS vulnerability in Action View
CSRF Vulnerability in rails-ujs
Possible XSS vulnerability in ActionView
Possible XSS Vulnerability in Action View tag helpers actionview (5.2.3) activesupport (= 5.2.3) builder (~> 3.1) erubi (~> 1.4) rails-dom-testing (~> 2.0) rails-html-sanitizer (~> 1.0, >= 1.0.3) activejob (5.2.3) activesupport (= 5.2.3) globalid (>= 0.3.6) activemodel (5.2.3) activesupport (= 5.2.3)Denial of Service Vulnerability in ActiveRecord’s PostgreSQL adapter
Possible DoS Vulnerability in Active Record PostgreSQL adapter
Possible RCE escalation bug with Serialized Columns in Active Record activerecord (5.2.3) activemodel (= 5.2.3) activesupport (= 5.2.3) arel (>= 9.0)Possible code injection vulnerability in Rails / Active Storage
Circumvention of file size limits in ActiveStorage activestorage (5.2.3) actionpack (= 5.2.3) activerecord (= 5.2.3) marcel (~> 0.3.1)Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
ReDoS based DoS vulnerability in Active Support’s underscore activesupport (5.2.3) concurrent-ruby (~> 1.0, >= 1.0.2) i18n (>= 0.7, < 2) minitest (~> 5.1) tzinfo (~> 1.1)Regular Expression Denial of Service in Addressable templates addressable (2.4.0) arel (9.0.0) ast (2.4.0) audited (4.8.0) activerecord (>= 4.0, < 5.3) aws-eventstream (1.0.3) aws-partitions (1.158.0) aws-sdk-core (3.49.0) aws-eventstream (~> 1.0, >= 1.0.2) aws-partitions (~> 1.0) aws-sigv4 (~> 1.1) jmespath (~> 1.0) aws-sdk-kms (1.18.0) aws-sdk-core (~> 3, >= 3.48.2) aws-sigv4 (~> 1.1) aws-sdk-s3 (1.36.1) aws-sdk-core (~> 3, >= 3.48.2) aws-sdk-kms (~> 1) aws-sigv4 (~> 1.0) aws-sigv4 (1.1.0) aws-eventstream (~> 1.0, >= 1.0.2) babel-source (5.8.35) babel-transpiler (0.7.0) babel-source (>= 4.0, < 6) execjs (~> 2.0) backports (3.14.0) bcrypt (3.1.13) builder (3.2.3) byebug (11.0.1) capybara (3.18.0) addressable mini_mime (>= 0.1.3) nokogiri (~> 1.8) rack (>= 1.6.0) rack-test (>= 0.6.3) regexp_parser (~> 1.2) xpath (~> 3.2) capybara-screenshot (1.0.22) capybara (>= 1.0, < 4) launchy capybara-selenium (0.0.6) capybara selenium-webdriverCSS injection with width and height options chartkick (3.3.0) childprocess (1.0.1) rake (< 13.0) chunky_png (1.3.11) concurrent-ruby (1.1.5) connection_pool (2.2.2) crass (1.0.5) database_cleaner (1.7.0) devise (4.7.1) bcrypt (~> 3.0) orm_adapter (~> 0.1) railties (>= 4.1.0) responders warden (~> 1.2.3) devise_invitable (2.0.1) actionmailer (>= 5.0) devise (>= 4.6) diff-lcs (1.3) discard (1.1.0) activerecord (>= 4.2, < 7) docile (1.3.1) dotenv (2.7.2) dotenv-rails (2.7.2) dotenv (= 2.7.2) railties (>= 3.2, < 6.1) erubi (1.8.0) erubis (2.7.0) ethon (0.12.0) ffi (>= 1.3.0) execjs (2.7.0) factory_bot (4.11.1) activesupport (>= 3.0.0) factory_bot_rails (4.11.1) factory_bot (~> 4.11.1) railties (>= 3.0.0) faker (1.9.3) i18n (>= 0.7) faraday (0.15.4) multipart-post (>= 1.2, < 3) faraday_middleware (0.13.1) faraday (>= 0.7.4, < 1.0) ffi (1.10.0) font-awesome-rails (4.7.0.5) railties (>= 3.2, < 6.1) gh (0.15.1) addressable (~> 2.4.0) backports faraday (~> 0.8) multi_json (~> 1.0) net-http-persistent (~> 2.9) net-http-pipelineReDoS based DoS vulnerability in GlobalID globalid (0.4.2) activesupport (>= 4.2.0) groupdate (4.1.1) activesupport (>= 4.2) haml (5.0.4) temple (>= 0.8.0) tilt haml-rails (1.0.0) actionpack (>= 4.0.1) activesupport (>= 4.0.1) haml (>= 4.0.6, < 6.0) html2haml (>= 1.0.1) railties (>= 4.0.1) highline (1.7.10) html2haml (2.2.0) erubis (~> 2.7.0) haml (>= 4.0, < 6) nokogiri (>= 1.6.0) ruby_parser (~> 3.5)httparty has multipart/form-data request tampering vulnerability httparty (0.17.0) mime-types (~> 3.0) multi_xml (>= 0.5.2) i18n (1.6.0) concurrent-ruby (~> 1.0)Remote shell execution vulnerability when applying commands from user input image_processing (1.9.0) mini_magick (>= 4.9.3, < 5) ruby-vips (>= 2.0.13, < 3) jaro_winkler (1.5.2)JMESPath for Ruby using JSON.load instead of JSON.parse jmespath (1.4.0)json Gem for Ruby Unsafe Object Creation Vulnerability (additional fix) json (2.2.0) json-schema (2.8.1) addressable (>= 2.4) jsonapi-deserializable (0.2.0) jsonapi-parser (0.1.1) jsonapi-rails (0.3.1) jsonapi-parser (~> 0.1.0) jsonapi-rb (~> 0.5.0) jsonapi-rb (0.5.0) jsonapi-deserializable (~> 0.2.0) jsonapi-serializable (~> 0.3.0) jsonapi-renderer (0.2.0) jsonapi-serializable (0.3.1) jsonapi-renderer (~> 0.2.0) jsonapi_compliable (0.11.32) jsonapi-serializable (~> 0.3.0) jsonapi_errorable (0.9.4) jsonapi-serializable (~> 0.1) jsonapi_spec_helpers (0.4.10) rspec (~> 3.0) jsonapi_suite (0.7.0) actionpack (>= 4.1, < 6) activesupport (>= 4.1, < 6) jsonapi_compliable (~> 0.11) jsonapi_errorable (~> 0.6) strong_resources (~> 0.6) jsonapi_swagger_helpers (0.6.6) jsonapi_compliable (~> 0.10) jsonapi_spec_helpers (< 1) strong_resources swagger-blocks (~> 1.3) jwt (2.1.0)Cross-Site Scripting in Kaminari via `original_script_name` parameter kaminari (1.1.1) activesupport (>= 4.1.0) kaminari-actionview (= 1.1.1) kaminari-activerecord (= 1.1.1) kaminari-core (= 1.1.1) kaminari-actionview (1.1.1) actionview kaminari-core (= 1.1.1) kaminari-activerecord (1.1.1) activerecord kaminari-core (= 1.1.1) kaminari-core (1.1.1) launchy (2.4.3) addressable (~> 2.3) letter_opener (1.7.0) launchy (~> 2.2) listen (3.1.5) rb-fsevent (~> 0.9, >= 0.9.4) rb-inotify (~> 0.9, >= 0.9.7) ruby_dep (~> 1.2)Uncontrolled Recursion in Loofah
Inefficient Regular Expression Complexity in Loofah
Improper neutralization of data URIs may allow XSS in Loofah loofah (2.3.1) crass (~> 1.0.2) nokogiri (>= 1.5.9) mail (2.7.1) mini_mime (>= 0.1.1) marcel (0.3.3) mimemagic (~> 0.3.2) method_source (0.9.2) mime-types (3.2.2) mime-types-data (~> 3.2015) mime-types-data (3.2019.0331) mimemagic (0.3.3) mini_magick (4.9.4) mini_mime (1.0.1) mini_portile2 (2.4.0) minitest (5.11.3) multi_json (1.13.1) multi_xml (0.6.0) multipart-post (2.0.0) net-http-persistent (2.9.4) net-http-pipeline (1.0.1) nio4r (2.3.1)Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby
Integer Overflow or Wraparound in libxml2 affects Nokogiri
Update packaged dependency libxml2 from 2.9.10 to 2.9.12
Improper Handling of Unexpected Data Type in Nokogiri
XML Injection in Xerces Java affects Nokogiri
Update bundled libxml2 to v2.10.3 to resolve multiple CVEs
Denial of Service (DoS) in Nokogiri on JRuby
Inefficient Regular Expression Complexity in Nokogiri
Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability
Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35)
Out-of-bounds Write in zlib affects Nokogiri
libxml2 2.9.10 has an infinite loop in a certain end-of-file situation nokogiri (1.10.5) mini_portile2 (~> 2.4.0) orm_adapter (0.5.0) parallel (1.17.0) paranoia (2.4.2) activerecord (>= 4.0, < 6.1) parser (2.6.3.0) ast (~> 2.4.0) percy-capybara (4.0.0) pg (1.1.4)Keepalive Connections Causing Denial Of Service in puma
Information Exposure with Puma when used with Rails
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in puma
HTTP Request Smuggling in puma
HTTP Smuggling via Transfer-Encoding Header in Puma
HTTP Response Splitting (Early Hints) in Puma
HTTP Response Splitting vulnerability in puma
Keepalive thread overload/DoS in puma puma (3.12.1) pundit (2.0.1) activesupport (>= 3.0.0) purecss-rails (0.6.1) railties (>= 3.2.6, < 6) pusher-client (0.6.2) json websocket (~> 1.0)Directory traversal in Rack::Directory app bundled with Rack
Percent-encoded cookies can be used to overwrite existing prefixed cookie names
Denial of Service Vulnerability in Rack Multipart Parsing
Possible information leak / session hijack vulnerability
Denial of service via header parsing in Rack
Possible shell escape sequence injection vulnerability in Rack
Denial of Service Vulnerability in Rack Content-Disposition parsing
Denial of service via multipart parsing in Rack rack (2.0.7)rack-cors directory traversal via path rack-cors (1.0.3) rack-proxy (0.6.5) rack rack-test (1.1.0) rack (>= 1.0, < 3) rails (5.2.3) actioncable (= 5.2.3) actionmailer (= 5.2.3) actionpack (= 5.2.3) actionview (= 5.2.3) activejob (= 5.2.3) activemodel (= 5.2.3) activerecord (= 5.2.3) activestorage (= 5.2.3) activesupport (= 5.2.3) bundler (>= 1.3.0) railties (= 5.2.3) sprockets-rails (>= 2.0.0) rails-controller-testing (1.0.4) actionpack (>= 5.0.1.x) actionview (>= 5.0.1.x) activesupport (>= 5.0.1.x) rails-dom-testing (2.0.3) activesupport (>= 4.2.0) nokogiri (>= 1.6)Possible XSS vulnerability with certain configurations of rails-html-sanitizer
Inefficient Regular Expression Complexity in rails-html-sanitizer
Possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer
Improper neutralization of data URIs may allow XSS in rails-html-sanitizer rails-html-sanitizer (1.0.4) loofah (~> 2.2, >= 2.2.2) railties (5.2.3) actionpack (= 5.2.3) activesupport (= 5.2.3) method_source rake (>= 0.8.7) thor (>= 0.19.0, < 2.0) rainbow (3.0.0) rake (12.3.3) raygun4ruby (3.2.1) concurrent-ruby httparty (> 0.13.7) json rack rb-fsevent (0.10.3) rb-inotify (0.10.0) ffi (~> 1.0) react-rails (2.5.0) babel-transpiler (>= 0.7.0) connection_pool execjs railties (>= 3.2) tilt regexp_parser (1.4.0) responders (3.0.0) actionpack (>= 5.0) railties (>= 5.0) rqrcode (0.10.1) chunky_png (~> 1.0) rspec (3.5.0) rspec-core (~> 3.5.0) rspec-expectations (~> 3.5.0) rspec-mocks (~> 3.5.0) rspec-core (3.5.4) rspec-support (~> 3.5.0) rspec-expectations (3.5.0) diff-lcs (>= 1.2.0, < 2.0) rspec-support (~> 3.5.0) rspec-mocks (3.5.0) diff-lcs (>= 1.2.0, < 2.0) rspec-support (~> 3.5.0) rspec-rails (3.5.2) actionpack (>= 3.0) activesupport (>= 3.0) railties (>= 3.0) rspec-core (~> 3.5.0) rspec-expectations (~> 3.5.0) rspec-mocks (~> 3.5.0) rspec-support (~> 3.5.0) rspec-support (3.5.0) rubocop (0.70.0) jaro_winkler (~> 1.5.1) parallel (~> 1.10) parser (>= 2.6) rainbow (>= 2.2.2, < 4.0) ruby-progressbar (~> 1.7) unicode-display_width (>= 1.4.0, < 1.7) ruby-progressbar (1.10.0) ruby-vips (2.0.13) ffi (~> 1.9) ruby_dep (1.5.0) ruby_parser (3.13.1) sexp_processor (~> 4.9) rubyzip (1.3.0) selenium-webdriver (3.142.3) childprocess (>= 0.5, < 2.0) rubyzip (~> 1.2, >= 1.2.2) sexp_processor (4.12.0) simplecov (0.16.1) docile (~> 1.1) json (>= 1.8, < 3) simplecov-html (~> 0.10.0) simplecov-html (0.10.2) spring (2.0.2) activesupport (>= 4.2) spring-watcher-listen (2.0.1) listen (>= 2.7, < 4.0) spring (>= 1.2, < 3.0) sprockets (3.7.2) concurrent-ruby (~> 1.0) rack (> 1, < 3) sprockets-rails (3.2.1) actionpack (>= 4.0) activesupport (>= 4.0) sprockets (>= 3.0.0) strong_resources (0.6.4) actionpack (>= 4.1, < 6.0) activesupport (>= 4.1, < 6.0) jsonapi_compliable (~> 0.6) stronger_parameters (~> 2.6) stronger_parameters (2.11.0) actionpack (>= 3.2, < 5.3) swagger-blocks (1.4.0) swagger-diff (1.1.2) json-schema (~> 2.6) rspec-expectations (~> 3.3) temple (0.8.1) thor (0.20.3) thread_safe (0.3.6) tilt (2.0.9) timecop (0.9.1) travis (1.8.9) backports faraday (~> 0.9) faraday_middleware (~> 0.9, >= 0.9.1) gh (~> 0.13) highline (~> 1.6) launchy (~> 2.1) pusher-client (~> 0.4) typhoeus (~> 0.6, >= 0.6.8) typhoeus (0.8.0) ethon (>= 0.8.0)TZInfo relative path traversal vulnerability allows loading of arbitrary files tzinfo (1.2.5) thread_safe (~> 0.1) unicode-display_width (1.6.0) warden (1.2.8) rack (>= 2.0.6) webdrivers (3.9.4) nokogiri (~> 1.6) rubyzip (~> 1.0) selenium-webdriver (~> 3.0) webpacker (4.0.2) activesupport (>= 4.2) rack-proxy (>= 0.6.1) railties (>= 4.2) websocket (1.2.8) websocket-driver (0.7.0) websocket-extensions (>= 0.1.0)Regular Expression Denial of Service in websocket-extensions (RubyGem) websocket-extensions (0.1.3) xpath (3.2.0) nokogiri (~> 1.8) PLATFORMS ruby DEPENDENCIES audited (~> 4.7) aws-sdk-s3 byebug capybara capybara-screenshot capybara-selenium chartkick database_cleaner (~> 1.6) devise devise_invitable discard (~> 1.0) dotenv-rails factory_bot_rails (~> 4.0) faker (~> 1.7) font-awesome-rails groupdate haml-rails httparty image_processing jsonapi-rails (~> 0.3.0) jsonapi_spec_helpers (~> 0.4) jsonapi_suite (~> 0.7) jsonapi_swagger_helpers (~> 0.6) jwt (~> 2.1.0) kaminari (~> 1.0) letter_opener listen (>= 3.0.5, < 3.2) loofah (>= 2.2.1) paranoia (~> 2.2) percy-capybara (~> 4.0.0) pg puma (~> 3.7) pundit purecss-rails rack-cors rails (~> 5.2.0) rails-controller-testing rails-html-sanitizer (>= 1.0.4) raygun4ruby react-rails rqrcode rspec-rails (~> 3.5.2) rubocop (= 0.70.0) simplecov spring spring-watcher-listen (~> 2.0.0) swagger-diff (~> 1.1) timecop travis webdrivers webpacker BUNDLED WITH 1.17.3