Gemfile.lock
GEM remote: https://rubygems.org/ specs: actioncable (5.1.4) actionpack (= 5.1.4) nio4r (~> 2.0) websocket-driver (~> 0.6.1) actionmailer (5.1.4) actionpack (= 5.1.4) actionview (= 5.1.4) activejob (= 5.1.4) mail (~> 2.5, >= 2.5.4) rails-dom-testing (~> 2.0)Possible Strong Parameters Bypass in ActionPack
Possible Information Disclosure / Unintended Method Execution in Action Pack
Ability to forge per-form CSRF tokens given a global CSRF token
Possible exposure of information vulnerability in Action Pack
ReDoS based DoS vulnerability in Action Dispatch
Possible DoS Vulnerability in Action Controller Token Authentication actionpack (5.1.4) actionview (= 5.1.4) activesupport (= 5.1.4) rack (~> 2.0) rack-test (>= 0.6.3) rails-dom-testing (~> 2.0) rails-html-sanitizer (~> 1.0, >= 1.0.2)Possible XSS vulnerability in ActionView
Potential XSS vulnerability in Action View
Possible XSS Vulnerability in Action View tag helpers
CSRF Vulnerability in rails-ujs
Denial of Service Vulnerability in Action View
File Content Disclosure in Action View actionview (5.1.4) activesupport (= 5.1.4) builder (~> 3.1) erubi (~> 1.4) rails-dom-testing (~> 2.0) rails-html-sanitizer (~> 1.0, >= 1.0.3)Broken Access Control vulnerability in Active Job activejob (5.1.4) activesupport (= 5.1.4) globalid (>= 0.3.6) activemodel (5.1.4) activesupport (= 5.1.4)Denial of Service Vulnerability in ActiveRecord’s PostgreSQL adapter
Possible RCE escalation bug with Serialized Columns in Active Record
Possible DoS Vulnerability in Active Record PostgreSQL adapter activerecord (5.1.4) activemodel (= 5.1.4) activesupport (= 5.1.4) arel (~> 8.0)Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
ReDoS based DoS vulnerability in Active Support’s underscore activesupport (5.1.4) concurrent-ruby (~> 1.0, >= 1.0.2) i18n (~> 0.7) minitest (~> 5.1) tzinfo (~> 1.1)Regular Expression Denial of Service in Addressable templates addressable (2.5.2) public_suffix (>= 2.0.2, < 4.0) ansi (1.5.0) arel (8.0.0) backports (3.10.3) bcrypt (3.1.11) builder (3.2.3) byebug (9.1.0)Code Injection vulnerability in CarrierWave::RMagick
Server-side request forgery in CarrierWave carrierwave (1.2.1) activemodel (>= 4.0.0) activesupport (>= 4.0.0) mime-types (>= 1.16) carrierwave-base64 (2.6.1) carrierwave (>= 0.8.0) mime-types (~> 3.0) codeclimate-test-reporter (1.0.8) simplecov (<= 0.13) concurrent-ruby (1.0.5) connection_pool (2.2.1) crass (1.0.2)Devise Gem for Ruby confirmation token validation with a blank string
Devise Gem for Ruby Time-of-check Time-of-use race condition with lockable module devise (4.3.0) bcrypt (~> 3.0) orm_adapter (~> 0.1) railties (>= 4.1.0, < 5.2) responders warden (~> 1.2.3) docile (1.1.5) domain_name (0.5.20170404) unf (>= 0.0.5, < 1.0.0) erubi (1.7.0) ethon (0.11.0) ffi (>= 1.3.0) faraday (0.13.1) multipart-post (>= 1.2, < 3) faraday_middleware (0.12.2) faraday (>= 0.7.4, < 1.0)ruby-ffi DDL loading issue on Windows OS ffi (1.9.18) gh (0.14.0) addressable backports faraday (~> 0.8) multi_json (~> 1.0) net-http-persistent (>= 2.7) net-http-pipelineReDoS based DoS vulnerability in GlobalID globalid (0.4.0) activesupport (>= 4.2.0) highline (1.7.8) http-cookie (1.0.3) domain_name (~> 0.5) i18n (0.9.0) concurrent-ruby (~> 1.0)json Gem for Ruby Unsafe Object Creation Vulnerability (additional fix) json (2.1.0) jwt (1.5.6) launchy (2.4.3) addressable (~> 2.3) listen (3.1.5) rb-fsevent (~> 0.9, >= 0.9.4) rb-inotify (~> 0.9, >= 0.9.7) ruby_dep (~> 1.2)Loofah XSS Vulnerability
Improper neutralization of data URIs may allow XSS in Loofah
Inefficient Regular Expression Complexity in Loofah
Loofah 2.1.1 is vulnerable (CVE-2018-8048). Upgrade to 2.1.2 loofah (2.1.1) crass (~> 1.0.2) nokogiri (>= 1.5.9) mail (2.6.6) mime-types (>= 1.16, < 4) method_source (0.9.0) mime-types (3.1) mime-types-data (~> 3.2015) mime-types-data (3.2016.0521) mini_portile2 (2.3.0) minitest (5.10.3) minitest-reporters (1.1.18) ansi builder minitest (>= 5.0) ruby-progressbar multi_json (1.12.2) multipart-post (2.0.0) net-http-persistent (3.0.0) connection_pool (~> 2.2) net-http-pipeline (1.0.1) netrc (0.11.0) nio4r (2.1.0)Nokogiri gem, via libxslt, is affected by multiple vulnerabilities
Update packaged dependency libxml2 from 2.9.10 to 2.9.12
Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability
Out-of-bounds Write in zlib affects Nokogiri
Update bundled libxml2 to v2.10.3 to resolve multiple CVEs
Inefficient Regular Expression Complexity in Nokogiri
Improper Handling of Unexpected Data Type in Nokogiri
Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file
Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35)
Nokogiri gem, via libxslt, is affected by improper access control vulnerability
Integer Overflow or Wraparound in libxml2 affects Nokogiri
libxml2 2.9.10 has an infinite loop in a certain end-of-file situation
Denial of Service (DoS) in Nokogiri on JRuby
Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby
XML Injection in Xerces Java affects Nokogiri
Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
Nokogiri gem, via libxml, is affected by DoS vulnerabilities
Revert libxml2 behavior in Nokogiri gem that could cause XSS
Moderate severity vulnerability that affects nokogiri nokogiri (1.8.1) mini_portile2 (~> 2.3.0) octokit (4.7.0) sawyer (~> 0.8.0, >= 0.5.3) orm_adapter (0.5.0) pg (0.21.0) public_suffix (3.0.0)Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in puma
HTTP Request Smuggling in puma
Keepalive Connections Causing Denial Of Service in puma
Information Exposure with Puma when used with Rails
HTTP Smuggling via Transfer-Encoding Header in Puma
HTTP Response Splitting vulnerability in puma
Keepalive thread overload/DoS in puma
HTTP Response Splitting (Early Hints) in Puma puma (3.10.0) pusher-client (0.6.2) json websocket (~> 1.0)Percent-encoded cookies can be used to overwrite existing prefixed cookie names
Directory traversal in Rack::Directory app bundled with Rack
Denial of Service Vulnerability in Rack Multipart Parsing
Possible information leak / session hijack vulnerability
Denial of service via multipart parsing in Rack
Denial of Service Vulnerability in Rack Content-Disposition parsing
Possible XSS vulnerability in Rack
Possible shell escape sequence injection vulnerability in Rack
Denial of service via header parsing in Rack rack (2.0.3)rack-cors directory traversal via path rack-cors (1.0.1) rack-test (0.7.0) rack (>= 1.0, < 3) rails (5.1.4) actioncable (= 5.1.4) actionmailer (= 5.1.4) actionpack (= 5.1.4) actionview (= 5.1.4) activejob (= 5.1.4) activemodel (= 5.1.4) activerecord (= 5.1.4) activesupport (= 5.1.4) bundler (>= 1.3.0) railties (= 5.1.4) sprockets-rails (>= 2.0.0) rails-dom-testing (2.0.3) activesupport (>= 4.2.0) nokogiri (>= 1.6)Improper neutralization of data URIs may allow XSS in rails-html-sanitizer
Possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer
Inefficient Regular Expression Complexity in rails-html-sanitizer
Possible XSS vulnerability with certain configurations of rails-html-sanitizer
XSS vulnerability in rails-html-sanitizer
rails-html-sanitizer 1.0.3 is vulnerable (CVE-2018-3741). Upgrade to 1.0.4 rails-html-sanitizer (1.0.3) loofah (~> 2.0) rails_12factor (0.0.3) rails_serve_static_assets rails_stdout_logging rails_serve_static_assets (0.0.5) rails_stdout_logging (0.0.5) railties (5.1.4) actionpack (= 5.1.4) activesupport (= 5.1.4) method_source rake (>= 0.8.7) thor (>= 0.18.1, < 2.0)OS Command Injection in Rake rake (12.1.0) rb-fsevent (0.10.2) rb-inotify (0.9.10) ffi (>= 0.5.0, < 2) responders (2.4.0) actionpack (>= 4.2.0, < 5.3) railties (>= 4.2.0, < 5.3) rest-client (2.0.2) http-cookie (>= 1.0.2, < 2.0) mime-types (>= 1.16, < 4.0) netrc (~> 0.8) ruby-progressbar (1.9.0) ruby_dep (1.5.0) sawyer (0.8.1) addressable (>= 2.3.5, < 2.6) faraday (~> 0.8, < 1.0) simple_command (0.0.9) simple_token_authentication (1.15.1) actionmailer (>= 3.2.6, < 6) actionpack (>= 3.2.6, < 6) devise (>= 3.2, < 6) simplecov (0.13.0) docile (~> 1.1.0) json (>= 1.8, < 3) simplecov-html (~> 0.10.0) simplecov-html (0.10.2) spring (2.0.2) activesupport (>= 4.2) spring-watcher-listen (2.0.1) listen (>= 2.7, < 4.0) spring (>= 1.2, < 3.0)Path Traversal in Sprockets sprockets (3.7.1) concurrent-ruby (~> 1.0) rack (> 1, < 3) sprockets-rails (3.2.1) actionpack (>= 4.0) activesupport (>= 4.0) sprockets (>= 3.0.0) thor (0.20.0) thread_safe (0.3.6) travis (1.8.8) backports faraday (~> 0.9) faraday_middleware (~> 0.9, >= 0.9.1) gh (~> 0.13) highline (~> 1.6) launchy (~> 2.1) pusher-client (~> 0.4) typhoeus (~> 0.6, >= 0.6.8) typhoeus (0.8.0) ethon (>= 0.8.0)TZInfo relative path traversal vulnerability allows loading of arbitrary files tzinfo (1.2.3) thread_safe (~> 0.1) unf (0.1.4) unf_ext unf_ext (0.0.7.4) warden (1.2.7) rack (>= 1.0) websocket (1.2.4) websocket-driver (0.6.5) websocket-extensions (>= 0.1.0)Regular Expression Denial of Service in websocket-extensions (RubyGem) websocket-extensions (0.1.2) PLATFORMS ruby DEPENDENCIES activesupport (~> 5.1, >= 5.1.4) bcrypt (~> 3.1.7) byebug carrierwave (~> 1.1) carrierwave-base64 (~> 2.5, >= 2.5.3) codeclimate-test-reporter jwt (~> 1.5.6) listen (>= 3.0.5, < 3.2) minitest (~> 5.8, >= 5.8.4) minitest-reporters octokit (~> 4.0) pg (~> 0.18) puma (~> 3.7) rack-cors rails (~> 5.1.3) rails_12factor rest-client simple_command simple_token_authentication (~> 1.0) simplecov spring spring-watcher-listen (~> 2.0.0) travis (~> 1.8, >= 1.8.8) tzinfo-data RUBY VERSION ruby 2.4.1p111 BUNDLED WITH 1.15.4