Issues - cortex-cms/cortex

Possible timing attack in derivation_endpoint
Open

    shrine (2.11.0)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-15237

Criticality: Medium

URL: https://github.com/shrinerb/shrine/security/advisories/GHSA-5jjv-x4fq-qjwp

Solution: upgrade to >= 3.3.0

ReDoS based DoS vulnerability in GlobalID
Open

    globalid (0.4.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2023-22799

URL: https://github.com/rails/globalid/releases/tag/v1.0.1

Solution: upgrade to >= 1.0.1

Update bundled libxml2 to v2.10.3 to resolve multiple CVEs
Open

    nokogiri (1.8.4)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory:

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2qc6-mcvw-92cw

Solution: upgrade to >= 1.13.9

Possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer
Open

    rails-html-sanitizer (1.0.4)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-32209

Criticality: Medium

URL: https://groups.google.com/g/rubyonrails-security/c/ce9PhUANQ6s

Solution: upgrade to >= 1.4.3

Regular Expression Denial of Service in Addressable templates
Open

    addressable (2.5.2)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2021-32740

Criticality: High

URL: https://github.com/advisories/GHSA-jxhc-q857-3j6g

Solution: upgrade to >= 2.8.0

Nokogiri gem, via libxslt, is affected by improper access control vulnerability
Open

    nokogiri (1.8.4)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2019-11068

URL: https://github.com/sparklemotion/nokogiri/issues/1892

Solution: upgrade to >= 1.10.3

Potential XSS vulnerability in Action View
Open

    actionview (5.1.6)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-15169

Criticality: Medium

URL: https://groups.google.com/g/rubyonrails-security/c/b-C9kSGXYrc

Solution: upgrade to >= 5.2.4.4, ~> 5.2.4, >= 6.0.3.3

Possible XSS vulnerability in ActionView
Open

    actionview (5.1.6)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-5267

Criticality: Medium

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8

Solution: upgrade to >= 5.2.4.2, ~> 5.2.4, >= 6.0.2.2

Ability to forge per-form CSRF tokens given a global CSRF token
Open

    actionpack (5.1.6)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-8166

Criticality: Medium

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw

Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1

Cross-site Scripting in Sidekiq
Open

    sidekiq (5.1.3)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2021-30151

Criticality: Medium

URL: https://github.com/advisories/GHSA-grh7-935j-hg6w

Solution: upgrade to ~> 5.2.0, >= 6.2.1

Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby
Open

    nokogiri (1.8.4)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2021-41098

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2rr5-8q37-2w7h

Solution: upgrade to >= 1.12.5

Possible DoS Vulnerability in Action Controller Token Authentication
Open

    actionpack (5.1.6)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2021-22904

Criticality: High

URL: https://groups.google.com/g/rubyonrails-security/c/Pf1TjkOBdyQ

Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, >= 6.0.3.7, ~> 6.0.3, >= 6.1.3.2

Gon gem lack of escaping certain input when outputting as JSON
Open

    gon (6.2.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-25739

Criticality: Medium

URL: https://github.com/gazay/gon/commit/fe3c7b2191a992386dc9edd37de5447a4e809bc7

Solution: upgrade to >= 6.4.0

json Gem for Ruby Unsafe Object Creation Vulnerability (additional fix)
Open

    json (2.1.0)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-10663

Criticality: High

URL: https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/

Solution: upgrade to >= 2.3.0

Improper neutralization of data URIs may allow XSS in Loofah
Open

    loofah (2.2.2)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-23515

Criticality: Medium

URL: https://github.com/flavorjones/loofah/security/advisories/GHSA-228g-948r-83gx

Solution: upgrade to >= 2.19.1

Sinatra vulnerable to Reflected File Download attack
Open

    sinatra (2.0.3)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-45442

Criticality: High

URL: https://github.com/sinatra/sinatra/security/advisories/GHSA-2x8x-jmrp-phxw

Solution: upgrade to ~> 2.2.3, >= 3.0.4

ReDoS based DoS vulnerability in Action Dispatch
Open

    actionpack (5.1.6)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2023-22795

URL: https://github.com/rails/rails/releases/tag/v7.0.4.1

Solution: upgrade to >= 5.2.8.15, ~> 5.2.8, >= 6.1.7.1, ~> 6.1.7, >= 7.0.4.1

CSRF Vulnerability in rails-ujs
Open

    actionview (5.1.6)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-8167

Criticality: Medium

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0

Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1

XML Injection in Xerces Java affects Nokogiri
Open

    nokogiri (1.8.4)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-23437

Criticality: Medium

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xxx9-3xcr-gjj3

Solution: upgrade to >= 1.13.4

Nokogiri gem, via libxslt, is affected by multiple vulnerabilities
Open

    nokogiri (1.8.4)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2019-13117

URL: https://github.com/sparklemotion/nokogiri/issues/1943

Solution: upgrade to >= 1.10.5

cortex-cms/cortex

Showing 132 of 132 total issues

Possible timing attack in derivation_endpoint
Open

ReDoS based DoS vulnerability in GlobalID
Open

Update bundled libxml2 to v2.10.3 to resolve multiple CVEs
Open

Possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer
Open

Regular Expression Denial of Service in Addressable templates
Open

Nokogiri gem, via libxslt, is affected by improper access control vulnerability
Open

Potential XSS vulnerability in Action View
Open

Possible XSS vulnerability in ActionView
Open

Ability to forge per-form CSRF tokens given a global CSRF token
Open

Cross-site Scripting in Sidekiq
Open

Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby
Open

Possible DoS Vulnerability in Action Controller Token Authentication
Open

Gon gem lack of escaping certain input when outputting as JSON
Open

json Gem for Ruby Unsafe Object Creation Vulnerability (additional fix)
Open

Improper neutralization of data URIs may allow XSS in Loofah
Open

Sinatra vulnerable to Reflected File Download attack
Open

ReDoS based DoS vulnerability in Action Dispatch
Open

CSRF Vulnerability in rails-ujs
Open

XML Injection in Xerces Java affects Nokogiri
Open

Nokogiri gem, via libxslt, is affected by multiple vulnerabilities
Open

Severity

Category

Status

Source

Language

cortex-cms/cortex

Showing 132 of 132 total issues

Possible timing attack in derivation_endpoint Open

ReDoS based DoS vulnerability in GlobalID Open

Update bundled libxml2 to v2.10.3 to resolve multiple CVEs Open

Possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer Open

Regular Expression Denial of Service in Addressable templates Open

Nokogiri gem, via libxslt, is affected by improper access control vulnerability Open

Potential XSS vulnerability in Action View Open

Possible XSS vulnerability in ActionView Open

Ability to forge per-form CSRF tokens given a global CSRF token Open

Cross-site Scripting in Sidekiq Open

Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby Open

Possible DoS Vulnerability in Action Controller Token Authentication Open

Gon gem lack of escaping certain input when outputting as JSON Open

json Gem for Ruby Unsafe Object Creation Vulnerability (additional fix) Open

Improper neutralization of data URIs may allow XSS in Loofah Open

Sinatra vulnerable to Reflected File Download attack Open

ReDoS based DoS vulnerability in Action Dispatch Open

CSRF Vulnerability in rails-ujs Open

XML Injection in Xerces Java affects Nokogiri Open

Nokogiri gem, via libxslt, is affected by multiple vulnerabilities Open

Severity

Category

Status

Source

Language

Possible timing attack in derivation_endpoint
Open

ReDoS based DoS vulnerability in GlobalID
Open

Update bundled libxml2 to v2.10.3 to resolve multiple CVEs
Open

Possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer
Open

Regular Expression Denial of Service in Addressable templates
Open

Nokogiri gem, via libxslt, is affected by improper access control vulnerability
Open

Potential XSS vulnerability in Action View
Open

Possible XSS vulnerability in ActionView
Open

Ability to forge per-form CSRF tokens given a global CSRF token
Open

Cross-site Scripting in Sidekiq
Open

Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby
Open

Possible DoS Vulnerability in Action Controller Token Authentication
Open

Gon gem lack of escaping certain input when outputting as JSON
Open

json Gem for Ruby Unsafe Object Creation Vulnerability (additional fix)
Open

Improper neutralization of data URIs may allow XSS in Loofah
Open

Sinatra vulnerable to Reflected File Download attack
Open

ReDoS based DoS vulnerability in Action Dispatch
Open

CSRF Vulnerability in rails-ujs
Open

XML Injection in Xerces Java affects Nokogiri
Open

Nokogiri gem, via libxslt, is affected by multiple vulnerabilities
Open