Ability to forge per-form CSRF tokens given a global CSRF token Open
actionpack (5.1.4)- Read upRead up
- Exclude checks
Advisory: CVE-2020-8166
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw
Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1
Possible DoS Vulnerability in Active Record PostgreSQL adapter Open
activerecord (5.1.4)- Read upRead up
- Exclude checks
Advisory: CVE-2021-22880
Criticality: Medium
URL: https://groups.google.com/g/rubyonrails-security/c/ZzUqCh9vyhI
Solution: upgrade to >= 5.2.4.5, ~> 5.2.4, ~> 6.0.3.5, >= 6.1.2.1
Potential XSS vulnerability in Action View Open
actionview (5.1.4)- Read upRead up
- Exclude checks
Advisory: CVE-2020-15169
URL: https://groups.google.com/g/rubyonrails-security/c/b-C9kSGXYrc
Solution: upgrade to >= 5.2.4.4, ~> 5.2.4, >= 6.0.3.3
Insecure Source URI found: git://github.com/justinfrench/formtastic.git Open
remote: git://github.com/justinfrench/formtastic.git- Exclude checks
Cross-Site Scripting in Kaminari via original_script_name parameter Open
kaminari (1.1.1)- Read upRead up
- Exclude checks
Advisory: CVE-2020-11082
Criticality: Medium
URL: https://github.com/kaminari/kaminari/security/advisories/GHSA-r5jw-62xg-j433
Solution: upgrade to >= 1.2.1
Possible XSS vulnerability in ActionView Open
actionview (5.1.4)- Read upRead up
- Exclude checks
Advisory: CVE-2020-5267
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8
Solution: upgrade to >= 5.2.4.2, ~> 5.2.4, >= 6.0.2.2
Geocoder gem for Ruby contains possible SQL injection vulnerability Open
geocoder (1.5.1)- Read upRead up
- Exclude checks
Advisory: CVE-2020-7981
Criticality: Critical
URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7981
Solution: upgrade to >= 1.6.1
Insecure Source URI found: git://github.com/activeadmin/activeadmin.git Open
remote: git://github.com/activeadmin/activeadmin.git- Exclude checks
CSRF Vulnerability in rails-ujs Open
actionview (5.1.4)- Read upRead up
- Exclude checks
Advisory: CVE-2020-8167
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0
Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1
Insecure Source URI found: git://github.com/activerecord-hackery/ransack.git Open
remote: git://github.com/activerecord-hackery/ransack.git- Exclude checks
Insecure Source URI found: git://github.com/activeadmin/inherited_resources.git Open
remote: git://github.com/activeadmin/inherited_resources.git- Exclude checks
Insecure Source URI found: git://github.com/rails/activemodel-serializers-xml.git Open
remote: git://github.com/rails/activemodel-serializers-xml.git- Exclude checks
Possible Strong Parameters Bypass in ActionPack Open
actionpack (5.1.4)- Read upRead up
- Exclude checks
Advisory: CVE-2020-8164
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY
Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1
Directory traversal in Rack::Directory app bundled with Rack Open
rack (2.0.6)- Read upRead up
- Exclude checks
Advisory: CVE-2020-8161
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/T4ZIsfRf2eA
Solution: upgrade to ~> 2.1.3, >= 2.2.0
Devise Gem for Ruby confirmation token validation with a blank string Open
devise (4.6.1)- Read upRead up
- Exclude checks
Advisory: CVE-2019-16109
URL: https://github.com/plataformatec/devise/issues/5071
Solution: upgrade to >= 4.7.1
Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability Open
nokogiri (1.10.1)- Read upRead up
- Exclude checks
Advisory: CVE-2020-26247
Criticality: Low
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m
Solution: upgrade to >= 1.11.0.rc4
Percent-encoded cookies can be used to overwrite existing prefixed cookie names Open
rack (2.0.6)- Read upRead up
- Exclude checks
Advisory: CVE-2020-8184
URL: https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak
Solution: upgrade to ~> 2.1.4, >= 2.2.3
Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore Open
activesupport (5.1.4)- Read upRead up
- Exclude checks
Advisory: CVE-2020-8165
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c
Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1
Loofah XSS Vulnerability Open
loofah (2.2.3)- Read upRead up
- Exclude checks
Advisory: CVE-2019-15587
Criticality: Medium
URL: https://github.com/flavorjones/loofah/issues/171
Solution: upgrade to >= 2.3.1
Nokogiri gem, via libxslt, is affected by improper access control vulnerability Open
nokogiri (1.10.1)- Read upRead up
- Exclude checks
Advisory: CVE-2019-11068
URL: https://github.com/sparklemotion/nokogiri/issues/1892
Solution: upgrade to >= 1.10.3
File Content Disclosure in Action View Open
actionview (5.1.4)- Read upRead up
- Exclude checks
Advisory: CVE-2019-5418
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q
Solution: upgrade to >= 4.2.11.1, ~> 4.2.11, >= 5.0.7.2, ~> 5.0.7, >= 5.1.6.2, ~> 5.1.6, >= 5.2.2.1, ~> 5.2.2, >= 6.0.0.beta3
Possible information leak / session hijack vulnerability Open
rack (2.0.6)- Read upRead up
- Exclude checks
Advisory: CVE-2019-16782
URL: https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3
Solution: upgrade to ~> 1.6.12, >= 2.0.8
Denial of Service Vulnerability in Action View Open
actionview (5.1.4)- Read upRead up
- Exclude checks
Advisory: CVE-2019-5419
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI
Solution: upgrade to >= 6.0.0.beta3, >= 5.2.2.1, ~> 5.2.2, >= 5.1.6.2, ~> 5.1.6, >= 5.0.7.2, ~> 5.0.7, >= 4.2.11.1, ~> 4.2.11
OS Command Injection in Rake Open
rake (12.3.2)- Read upRead up
- Exclude checks
Advisory: CVE-2020-8130
Criticality: High
URL: https://github.com/advisories/GHSA-jppv-gw3r-w3q8
Solution: upgrade to >= 12.3.3
Broken Access Control vulnerability in Active Job Open
activejob (5.1.4)- Read upRead up
- Exclude checks
Advisory: CVE-2018-16476
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw
Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, ~> 5.1.7, >= 5.2.1.1
libxml2 2.9.10 has an infinite loop in a certain end-of-file situation Open
nokogiri (1.10.1)- Read upRead up
- Exclude checks
Advisory: CVE-2020-7595
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/issues/1992
Solution: upgrade to >= 1.10.8
Nokogiri gem, via libxslt, is affected by multiple vulnerabilities Open
nokogiri (1.10.1)- Read upRead up
- Exclude checks
Advisory: CVE-2019-13117
URL: https://github.com/sparklemotion/nokogiri/issues/1943
Solution: upgrade to >= 1.10.5
Regular Expression Denial of Service in websocket-extensions (RubyGem) Open
websocket-extensions (0.1.3)- Read upRead up
- Exclude checks
Advisory: CVE-2020-7663
Criticality: High
URL: https://github.com/faye/websocket-extensions-ruby/security/advisories/GHSA-g6wq-qcwm-j5g2
Solution: upgrade to >= 0.1.5
Prototype pollution attack through jQuery $.extend Open
jquery-rails (4.3.3)- Read upRead up
- Exclude checks
Advisory: CVE-2019-11358
Criticality: Medium
URL: https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
Solution: upgrade to >= 4.3.4
Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file Open
nokogiri (1.10.1)- Read upRead up
- Exclude checks
Advisory: CVE-2019-5477
Criticality: Critical
URL: https://github.com/sparklemotion/nokogiri/issues/1915
Solution: upgrade to >= 1.10.4