Issues - lujanfernaud/prevy

Code Injection vulnerability in CarrierWave::RMagick
Open

    carrierwave (1.2.2)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2021-21305

Criticality: High

URL: https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-cf3w-g86h-35x4

Solution: upgrade to ~> 1.3.2, >= 2.1.1

Devise Gem for Ruby confirmation token validation with a blank string
Open

    devise (4.4.3)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2019-16109

Criticality: Medium

URL: https://github.com/plataformatec/devise/issues/5071

Solution: upgrade to >= 4.7.1

Geocoder gem for Ruby contains possible SQL injection vulnerability
Open

    geocoder (1.5.0)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-7981

Criticality: Critical

URL: https://github.com/alexreisner/geocoder/blob/master/CHANGELOG.md#161-2020-jan-23

Solution: upgrade to >= 1.6.1

Improper neutralization of data URIs may allow XSS in Loofah
Open

    loofah (2.2.2)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-23515

Criticality: Medium

URL: https://github.com/flavorjones/loofah/security/advisories/GHSA-228g-948r-83gx

Solution: upgrade to >= 2.19.1

Possible XSS vulnerability with certain configurations of rails-html-sanitizer
Open

    rails-html-sanitizer (1.0.4)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-23520

Criticality: Medium

URL: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rrfc-7g8p-99q8

Solution: upgrade to >= 1.4.4

Possible RCE escalation bug with Serialized Columns in Active Record
Open

    activerecord (5.1.6)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-32224

Criticality: Critical

URL: https://groups.google.com/g/rubyonrails-security/c/MmFO3LYQE8U

Solution: upgrade to >= 5.2.8.1, ~> 5.2.8, >= 6.0.5.1, ~> 6.0.5, >= 6.1.6.1, ~> 6.1.6, >= 7.0.3.1

Server-side request forgery in CarrierWave
Open

    carrierwave (1.2.2)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2021-21288

Criticality: Medium

URL: https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-fwcm-636p-68r5

Solution: upgrade to ~> 1.3.2, >= 2.1.1

Update packaged dependency libxml2 from 2.9.10 to 2.9.12
Open

    nokogiri (1.8.2)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory:

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-7rrm-v45f-jp64

Solution: upgrade to >= 1.11.4

Update bundled libxml2 to v2.10.3 to resolve multiple CVEs
Open

    nokogiri (1.8.2)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory:

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2qc6-mcvw-92cw

Solution: upgrade to >= 1.13.9

HTTP Smuggling via Transfer-Encoding Header in Puma
Open

    puma (3.11.4)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-11077

Criticality: Medium

URL: https://github.com/puma/puma/security/advisories/GHSA-w64w-qqph-5gxm

Solution: upgrade to ~> 3.12.6, >= 4.3.5

Possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer
Open

    rails-html-sanitizer (1.0.4)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-32209

Criticality: Medium

URL: https://groups.google.com/g/rubyonrails-security/c/ce9PhUANQ6s

Solution: upgrade to >= 1.4.3

Possible DoS Vulnerability in Action Controller Token Authentication
Open

    actionpack (5.1.6)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2021-22904

Criticality: High

URL: https://groups.google.com/g/rubyonrails-security/c/Pf1TjkOBdyQ

Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, >= 6.0.3.7, ~> 6.0.3, >= 6.1.3.2

ReDoS based DoS vulnerability in Active Support’s underscore
Open

    activesupport (5.1.6)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2023-22796

URL: https://github.com/rails/rails/releases/tag/v7.0.4.1

Solution: upgrade to >= 5.2.8.15, ~> 5.2.8, >= 6.1.7.1, ~> 6.1.7, >= 7.0.4.1

Potential XSS vulnerability in jQuery
Open

    jquery-rails (4.3.3)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-11023

Criticality: Medium

URL: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released

Solution: upgrade to >= 4.4.0

Inefficient Regular Expression Complexity in rails-html-sanitizer
Open

    rails-html-sanitizer (1.0.4)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-23517

Criticality: High

URL: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-5x79-w82f-gw8w

Solution: upgrade to >= 1.4.4

CSRF Vulnerability in rails-ujs
Open

    actionview (5.1.6)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-8167

Criticality: Medium

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0

Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1

XML Injection in Xerces Java affects Nokogiri
Open

    nokogiri (1.8.2)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-23437

Criticality: Medium

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xxx9-3xcr-gjj3

Solution: upgrade to >= 1.13.4

Nokogiri gem, via libxslt, is affected by multiple vulnerabilities
Open

    nokogiri (1.8.2)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2019-13117

URL: https://github.com/sparklemotion/nokogiri/issues/1943

Solution: upgrade to >= 1.10.5

HTTP Smuggling via Transfer-Encoding Header in Puma
Open

    puma (3.11.4)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-11076

Criticality: High

URL: https://github.com/puma/puma/security/advisories/GHSA-x7jg-6pwg-fx5h

Solution: upgrade to ~> 3.12.5, >= 4.3.4

Possible Strong Parameters Bypass in ActionPack
Open

    actionpack (5.1.6)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-8164

Criticality: High

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY

Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1

lujanfernaud/prevy

Showing 1,727 of 1,727 total issues

Code Injection vulnerability in CarrierWave::RMagick
Open

Devise Gem for Ruby confirmation token validation with a blank string
Open

Geocoder gem for Ruby contains possible SQL injection vulnerability
Open

Improper neutralization of data URIs may allow XSS in Loofah
Open

Possible XSS vulnerability with certain configurations of rails-html-sanitizer
Open

Possible RCE escalation bug with Serialized Columns in Active Record
Open

Server-side request forgery in CarrierWave
Open

Update packaged dependency libxml2 from 2.9.10 to 2.9.12
Open

Update bundled libxml2 to v2.10.3 to resolve multiple CVEs
Open

HTTP Smuggling via Transfer-Encoding Header in Puma
Open

Possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer
Open

Possible DoS Vulnerability in Action Controller Token Authentication
Open

ReDoS based DoS vulnerability in Active Support’s underscore
Open

Potential XSS vulnerability in jQuery
Open

Inefficient Regular Expression Complexity in rails-html-sanitizer
Open

CSRF Vulnerability in rails-ujs
Open

XML Injection in Xerces Java affects Nokogiri
Open

Nokogiri gem, via libxslt, is affected by multiple vulnerabilities
Open

HTTP Smuggling via Transfer-Encoding Header in Puma
Open

Possible Strong Parameters Bypass in ActionPack
Open

Severity

Category

Status

Source

Language

lujanfernaud/prevy

Showing 1,727 of 1,727 total issues

Code Injection vulnerability in CarrierWave::RMagick Open

Devise Gem for Ruby confirmation token validation with a blank string Open

Geocoder gem for Ruby contains possible SQL injection vulnerability Open

Improper neutralization of data URIs may allow XSS in Loofah Open

Possible XSS vulnerability with certain configurations of rails-html-sanitizer Open

Possible RCE escalation bug with Serialized Columns in Active Record Open

Server-side request forgery in CarrierWave Open

Update packaged dependency libxml2 from 2.9.10 to 2.9.12 Open

Update bundled libxml2 to v2.10.3 to resolve multiple CVEs Open

HTTP Smuggling via Transfer-Encoding Header in Puma Open

Possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer Open

Possible DoS Vulnerability in Action Controller Token Authentication Open

ReDoS based DoS vulnerability in Active Support’s underscore Open

Potential XSS vulnerability in jQuery Open

Inefficient Regular Expression Complexity in rails-html-sanitizer Open

CSRF Vulnerability in rails-ujs Open

XML Injection in Xerces Java affects Nokogiri Open

Nokogiri gem, via libxslt, is affected by multiple vulnerabilities Open

HTTP Smuggling via Transfer-Encoding Header in Puma Open

Possible Strong Parameters Bypass in ActionPack Open

Severity

Category

Status

Source

Language

Code Injection vulnerability in CarrierWave::RMagick
Open

Devise Gem for Ruby confirmation token validation with a blank string
Open

Geocoder gem for Ruby contains possible SQL injection vulnerability
Open

Improper neutralization of data URIs may allow XSS in Loofah
Open

Possible XSS vulnerability with certain configurations of rails-html-sanitizer
Open

Possible RCE escalation bug with Serialized Columns in Active Record
Open

Server-side request forgery in CarrierWave
Open

Update packaged dependency libxml2 from 2.9.10 to 2.9.12
Open

Update bundled libxml2 to v2.10.3 to resolve multiple CVEs
Open

HTTP Smuggling via Transfer-Encoding Header in Puma
Open

Possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer
Open

Possible DoS Vulnerability in Action Controller Token Authentication
Open

ReDoS based DoS vulnerability in Active Support’s underscore
Open

Potential XSS vulnerability in jQuery
Open

Inefficient Regular Expression Complexity in rails-html-sanitizer
Open

CSRF Vulnerability in rails-ujs
Open

XML Injection in Xerces Java affects Nokogiri
Open

Nokogiri gem, via libxslt, is affected by multiple vulnerabilities
Open

HTTP Smuggling via Transfer-Encoding Header in Puma
Open

Possible Strong Parameters Bypass in ActionPack
Open