Issues - ministryofjustice/hwf-calculator

Possible XSS vulnerability with certain configurations of rails-html-sanitizer
Open

    rails-html-sanitizer (1.0.4)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-23519

Criticality: Medium

URL: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-9h9g-93gc-623h

Solution: upgrade to >= 1.4.4

Possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer
Open

    rails-html-sanitizer (1.0.4)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-32209

Criticality: Medium

URL: https://groups.google.com/g/rubyonrails-security/c/ce9PhUANQ6s

Solution: upgrade to >= 1.4.3

Ability to forge per-form CSRF tokens given a global CSRF token
Open

    actionpack (5.1.5)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-8166

Criticality: Medium

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw

Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1

Percent-encoded cookies can be used to overwrite existing prefixed cookie names
Open

    rack (2.0.4)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-8184

Criticality: High

URL: https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak

Solution: upgrade to ~> 2.1.4, >= 2.2.3

Possible exposure of information vulnerability in Action Pack
Open

    actionpack (5.1.5)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-23633

Criticality: High

URL: https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ

Solution: upgrade to >= 5.2.6.2, ~> 5.2.6, >= 6.0.4.6, ~> 6.0.4, >= 6.1.4.6, ~> 6.1.4, >= 7.0.2.2

Possible RCE escalation bug with Serialized Columns in Active Record
Open

    activerecord (5.1.5)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-32224

Criticality: Critical

URL: https://groups.google.com/g/rubyonrails-security/c/MmFO3LYQE8U

Solution: upgrade to >= 5.2.8.1, ~> 5.2.8, >= 6.0.5.1, ~> 6.0.5, >= 6.1.6.1, ~> 6.1.6, >= 7.0.3.1

Out-of-bounds Write in zlib affects Nokogiri
Open

    nokogiri (1.8.2)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2018-25032

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v6gp-9mmm-c6p5

Solution: upgrade to >= 1.13.4

Improper Handling of Unexpected Data Type in Nokogiri
Open

    nokogiri (1.8.2)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-29181

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xh29-r2w5-wx8m

Solution: upgrade to >= 1.13.6

Possible DoS Vulnerability in Action Controller Token Authentication
Open

    actionpack (5.1.5)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2021-22904

Criticality: High

URL: https://groups.google.com/g/rubyonrails-security/c/Pf1TjkOBdyQ

Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, >= 6.0.3.7, ~> 6.0.3, >= 6.1.3.2

Denial of Service Vulnerability in ActiveRecord’s PostgreSQL adapter
Open

    activerecord (5.1.5)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-44566

URL: https://github.com/rails/rails/releases/tag/v7.0.4.1

Solution: upgrade to >= 5.2.8.15, ~> 5.2.8, >= 6.1.7.1, ~> 6.1.7, >= 7.0.4.1

libxml2 2.9.10 has an infinite loop in a certain end-of-file situation
Open

    nokogiri (1.8.2)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-7595

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/issues/1992

Solution: upgrade to >= 1.10.8

Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35)
Open

    nokogiri (1.8.2)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2021-30560

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-fq42-c5rg-92c2

Solution: upgrade to >= 1.13.2

Possible XSS Vulnerability in Action View tag helpers
Open

    actionview (5.1.5)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-27777

Criticality: Medium

URL: https://groups.google.com/g/ruby-security-ann/c/9wJPEDv-iRw

Solution: upgrade to >= 5.2.7.1, ~> 5.2.7, >= 6.0.4.8, ~> 6.0.4, >= 6.1.5.1, ~> 6.1.5, >= 7.0.2.4

Regular Expression Denial of Service in Addressable templates
Open

    addressable (2.5.2)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2021-32740

Criticality: High

URL: https://github.com/advisories/GHSA-jxhc-q857-3j6g

Solution: upgrade to >= 2.8.0

Loofah XSS Vulnerability
Open

    loofah (2.2.2)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2019-15587

Criticality: Medium

URL: https://github.com/flavorjones/loofah/issues/171

Solution: upgrade to >= 2.3.1

XML Injection in Xerces Java affects Nokogiri
Open

    nokogiri (1.8.2)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-23437

Criticality: Medium

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xxx9-3xcr-gjj3

Solution: upgrade to >= 1.13.4

Inefficient Regular Expression Complexity in Nokogiri
Open

    nokogiri (1.8.2)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-24836

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5-ghw8

Solution: upgrade to >= 1.13.4

Possible XSS vulnerability with certain configurations of rails-html-sanitizer
Open

    rails-html-sanitizer (1.0.4)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-23520

Criticality: Medium

URL: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rrfc-7g8p-99q8

Solution: upgrade to >= 1.4.4

Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file
Open

    nokogiri (1.8.2)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2019-5477

Criticality: Critical

URL: https://github.com/sparklemotion/nokogiri/issues/1915

Solution: upgrade to >= 1.10.4

ReDoS based DoS vulnerability in Active Support’s underscore
Open

    activesupport (5.1.5)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2023-22796

URL: https://github.com/rails/rails/releases/tag/v7.0.4.1

Solution: upgrade to >= 5.2.8.15, ~> 5.2.8, >= 6.1.7.1, ~> 6.1.7, >= 7.0.4.1

ministryofjustice/hwf-calculator

Showing 81 of 91 total issues

Possible XSS vulnerability with certain configurations of rails-html-sanitizer
Open

Possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer
Open

Ability to forge per-form CSRF tokens given a global CSRF token
Open

Percent-encoded cookies can be used to overwrite existing prefixed cookie names
Open

Possible exposure of information vulnerability in Action Pack
Open

Possible RCE escalation bug with Serialized Columns in Active Record
Open

Out-of-bounds Write in zlib affects Nokogiri
Open

Improper Handling of Unexpected Data Type in Nokogiri
Open

Possible DoS Vulnerability in Action Controller Token Authentication
Open

Denial of Service Vulnerability in ActiveRecord’s PostgreSQL adapter
Open

libxml2 2.9.10 has an infinite loop in a certain end-of-file situation
Open

Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35)
Open

Possible XSS Vulnerability in Action View tag helpers
Open

Regular Expression Denial of Service in Addressable templates
Open

Loofah XSS Vulnerability
Open

XML Injection in Xerces Java affects Nokogiri
Open

Inefficient Regular Expression Complexity in Nokogiri
Open

Possible XSS vulnerability with certain configurations of rails-html-sanitizer
Open

Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file
Open

ReDoS based DoS vulnerability in Active Support’s underscore
Open

Severity

Category

Status

Source

Language

ministryofjustice/hwf-calculator

Showing 81 of 91 total issues

Possible XSS vulnerability with certain configurations of rails-html-sanitizer Open

Possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer Open

Ability to forge per-form CSRF tokens given a global CSRF token Open

Percent-encoded cookies can be used to overwrite existing prefixed cookie names Open

Possible exposure of information vulnerability in Action Pack Open

Possible RCE escalation bug with Serialized Columns in Active Record Open

Out-of-bounds Write in zlib affects Nokogiri Open

Improper Handling of Unexpected Data Type in Nokogiri Open

Possible DoS Vulnerability in Action Controller Token Authentication Open

Denial of Service Vulnerability in ActiveRecord’s PostgreSQL adapter Open

libxml2 2.9.10 has an infinite loop in a certain end-of-file situation Open

Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35) Open

Possible XSS Vulnerability in Action View tag helpers Open

Regular Expression Denial of Service in Addressable templates Open

Loofah XSS Vulnerability Open

XML Injection in Xerces Java affects Nokogiri Open

Inefficient Regular Expression Complexity in Nokogiri Open

Possible XSS vulnerability with certain configurations of rails-html-sanitizer Open

Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file Open

ReDoS based DoS vulnerability in Active Support’s underscore Open

Severity

Category

Status

Source

Language

Possible XSS vulnerability with certain configurations of rails-html-sanitizer
Open

Possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer
Open

Ability to forge per-form CSRF tokens given a global CSRF token
Open

Percent-encoded cookies can be used to overwrite existing prefixed cookie names
Open

Possible exposure of information vulnerability in Action Pack
Open

Possible RCE escalation bug with Serialized Columns in Active Record
Open

Out-of-bounds Write in zlib affects Nokogiri
Open

Improper Handling of Unexpected Data Type in Nokogiri
Open

Possible DoS Vulnerability in Action Controller Token Authentication
Open

Denial of Service Vulnerability in ActiveRecord’s PostgreSQL adapter
Open

libxml2 2.9.10 has an infinite loop in a certain end-of-file situation
Open

Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35)
Open

Possible XSS Vulnerability in Action View tag helpers
Open

Regular Expression Denial of Service in Addressable templates
Open

Loofah XSS Vulnerability
Open

XML Injection in Xerces Java affects Nokogiri
Open

Inefficient Regular Expression Complexity in Nokogiri
Open

Possible XSS vulnerability with certain configurations of rails-html-sanitizer
Open

Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file
Open

ReDoS based DoS vulnerability in Active Support’s underscore
Open