Issues - cortex-cms/cortex

Possible timing attack in derivation_endpoint
Open

    shrine (2.11.0)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-15237

Criticality: Medium

URL: https://github.com/shrinerb/shrine/security/advisories/GHSA-5jjv-x4fq-qjwp

Solution: upgrade to >= 3.3.0

Ability to forge per-form CSRF tokens given a global CSRF token
Open

    actionpack (5.1.6)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-8166

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw

Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1

Nokogiri gem, via libxslt, is affected by multiple vulnerabilities
Open

    nokogiri (1.8.4)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2019-13117

URL: https://github.com/sparklemotion/nokogiri/issues/1943

Solution: upgrade to >= 1.10.5

json Gem for Ruby Unsafe Object Creation Vulnerability (additional fix)
Open

    json (2.1.0)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-10663

URL: https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/

Solution: upgrade to >= 2.3.0

Loofah XSS Vulnerability
Open

    loofah (2.2.2)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2019-15587

Criticality: Medium

URL: https://github.com/flavorjones/loofah/issues/171

Solution: upgrade to >= 2.3.1

libxml2 2.9.10 has an infinite loop in a certain end-of-file situation
Open

    nokogiri (1.8.4)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-7595

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/issues/1992

Solution: upgrade to >= 1.10.8

Directory traversal in Rack::Directory app bundled with Rack
Open

    rack (2.0.5)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-8161

URL: https://groups.google.com/forum/#!topic/ruby-security-ann/T4ZIsfRf2eA

Solution: upgrade to ~> 2.1.3, >= 2.2.0

CSRF Vulnerability in rails-ujs
Open

    actionview (5.1.6)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-8167

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0

Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1

Gon gem lack of escaping certain input when outputting as JSON
Open

    gon (6.2.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-25739

Criticality: Medium

URL: https://github.com/gazay/gon/commit/fe3c7b2191a992386dc9edd37de5447a4e809bc7

Solution: upgrade to >= 6.4.0

Devise Gem for Ruby confirmation token validation with a blank string
Open

    devise (4.4.3)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2019-16109

URL: https://github.com/plataformatec/devise/issues/5071

Solution: upgrade to >= 4.7.1

Nokogiri gem, via libxslt, is affected by improper access control vulnerability
Open

    nokogiri (1.8.4)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2019-11068

URL: https://github.com/sparklemotion/nokogiri/issues/1892

Solution: upgrade to >= 1.10.3

Potential XSS vulnerability in Action View
Open

    actionview (5.1.6)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-15169

URL: https://groups.google.com/g/rubyonrails-security/c/b-C9kSGXYrc

Solution: upgrade to >= 5.2.4.4, ~> 5.2.4, >= 6.0.3.3

Possible XSS vulnerability in ActionView
Open

    actionview (5.1.6)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-5267

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8

Solution: upgrade to >= 5.2.4.2, ~> 5.2.4, >= 6.0.2.2

Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
Open

    activesupport (5.1.6)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-8165

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c

Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1

Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file
Open

    nokogiri (1.8.4)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2019-5477

Criticality: Critical

URL: https://github.com/sparklemotion/nokogiri/issues/1915

Solution: upgrade to >= 1.10.4

Remote command execution via filename
Open

    mini_magick (4.8.0)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2019-13574

Criticality: High

URL: https://benjamin-bouchet.com/blog/vulnerabilite-dans-la-gem-mini_magick-version-4-9-4/

Solution: upgrade to >= 4.9.4

Percent-encoded cookies can be used to overwrite existing prefixed cookie names
Open

    rack (2.0.5)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-8184

URL: https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak

Solution: upgrade to ~> 2.1.4, >= 2.2.3

Possible Strong Parameters Bypass in ActionPack
Open

    actionpack (5.1.6)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-8164

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY

Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1

Possible DoS Vulnerability in Active Record PostgreSQL adapter
Open

    activerecord (5.1.6)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2021-22880

Criticality: Medium

URL: https://groups.google.com/g/rubyonrails-security/c/ZzUqCh9vyhI

Solution: upgrade to >= 5.2.4.5, ~> 5.2.4, ~> 6.0.3.5, >= 6.1.2.1

Devise Gem for Ruby Time-of-check Time-of-use race condition with lockable module
Open

    devise (4.4.3)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2019-5421

Criticality: Critical

URL: https://github.com/plataformatec/devise/issues/4981

Solution: upgrade to >= 4.6.0

cortex-cms/cortex

Showing 91 of 91 total issues

Possible timing attack in derivation_endpoint
Open

Ability to forge per-form CSRF tokens given a global CSRF token
Open

Nokogiri gem, via libxslt, is affected by multiple vulnerabilities
Open

json Gem for Ruby Unsafe Object Creation Vulnerability (additional fix)
Open

Loofah XSS Vulnerability
Open

libxml2 2.9.10 has an infinite loop in a certain end-of-file situation
Open

Directory traversal in Rack::Directory app bundled with Rack
Open

CSRF Vulnerability in rails-ujs
Open

Gon gem lack of escaping certain input when outputting as JSON
Open

Devise Gem for Ruby confirmation token validation with a blank string
Open

Nokogiri gem, via libxslt, is affected by improper access control vulnerability
Open

Potential XSS vulnerability in Action View
Open

Possible XSS vulnerability in ActionView
Open

Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
Open

Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file
Open

Remote command execution via filename
Open

Percent-encoded cookies can be used to overwrite existing prefixed cookie names
Open

Possible Strong Parameters Bypass in ActionPack
Open

Possible DoS Vulnerability in Active Record PostgreSQL adapter
Open

Devise Gem for Ruby Time-of-check Time-of-use race condition with lockable module
Open

Severity

Category

Status

Source

Language

cortex-cms/cortex

Showing 91 of 91 total issues

Possible timing attack in derivation_endpoint Open

Ability to forge per-form CSRF tokens given a global CSRF token Open

Nokogiri gem, via libxslt, is affected by multiple vulnerabilities Open

json Gem for Ruby Unsafe Object Creation Vulnerability (additional fix) Open

Loofah XSS Vulnerability Open

libxml2 2.9.10 has an infinite loop in a certain end-of-file situation Open

Directory traversal in Rack::Directory app bundled with Rack Open

CSRF Vulnerability in rails-ujs Open

Gon gem lack of escaping certain input when outputting as JSON Open

Devise Gem for Ruby confirmation token validation with a blank string Open

Nokogiri gem, via libxslt, is affected by improper access control vulnerability Open

Potential XSS vulnerability in Action View Open

Possible XSS vulnerability in ActionView Open

Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore Open

Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file Open

Remote command execution via filename Open

Percent-encoded cookies can be used to overwrite existing prefixed cookie names Open

Possible Strong Parameters Bypass in ActionPack Open

Possible DoS Vulnerability in Active Record PostgreSQL adapter Open

Devise Gem for Ruby Time-of-check Time-of-use race condition with lockable module Open

Severity

Category

Status

Source

Language

Possible timing attack in derivation_endpoint
Open

Ability to forge per-form CSRF tokens given a global CSRF token
Open

Nokogiri gem, via libxslt, is affected by multiple vulnerabilities
Open

json Gem for Ruby Unsafe Object Creation Vulnerability (additional fix)
Open

Loofah XSS Vulnerability
Open

libxml2 2.9.10 has an infinite loop in a certain end-of-file situation
Open

Directory traversal in Rack::Directory app bundled with Rack
Open

CSRF Vulnerability in rails-ujs
Open

Gon gem lack of escaping certain input when outputting as JSON
Open

Devise Gem for Ruby confirmation token validation with a blank string
Open

Nokogiri gem, via libxslt, is affected by improper access control vulnerability
Open

Potential XSS vulnerability in Action View
Open

Possible XSS vulnerability in ActionView
Open

Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
Open

Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file
Open

Remote command execution via filename
Open

Percent-encoded cookies can be used to overwrite existing prefixed cookie names
Open

Possible Strong Parameters Bypass in ActionPack
Open

Possible DoS Vulnerability in Active Record PostgreSQL adapter
Open

Devise Gem for Ruby Time-of-check Time-of-use race condition with lockable module
Open