moonleerecords/moonlee-website

View on GitHub

Showing 178 of 178 total issues

Ability to forge per-form CSRF tokens given a global CSRF token
Open

    actionpack (5.1.4)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-8166

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw

Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1

Possible DoS Vulnerability in Active Record PostgreSQL adapter
Open

    activerecord (5.1.4)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2021-22880

Criticality: Medium

URL: https://groups.google.com/g/rubyonrails-security/c/ZzUqCh9vyhI

Solution: upgrade to >= 5.2.4.5, ~> 5.2.4, ~> 6.0.3.5, >= 6.1.2.1

Potential XSS vulnerability in Action View
Open

    actionview (5.1.4)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-15169

URL: https://groups.google.com/g/rubyonrails-security/c/b-C9kSGXYrc

Solution: upgrade to >= 5.2.4.4, ~> 5.2.4, >= 6.0.3.3

Insecure Source URI found: git://github.com/justinfrench/formtastic.git
Open

  remote: git://github.com/justinfrench/formtastic.git
Severity: Minor
Found in Gemfile.lock by bundler-audit

Cross-Site Scripting in Kaminari via original_script_name parameter
Open

    kaminari (1.1.1)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-11082

Criticality: Medium

URL: https://github.com/kaminari/kaminari/security/advisories/GHSA-r5jw-62xg-j433

Solution: upgrade to >= 1.2.1

Possible XSS vulnerability in ActionView
Open

    actionview (5.1.4)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-5267

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8

Solution: upgrade to >= 5.2.4.2, ~> 5.2.4, >= 6.0.2.2

Geocoder gem for Ruby contains possible SQL injection vulnerability
Open

    geocoder (1.5.1)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-7981

Criticality: Critical

URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7981

Solution: upgrade to >= 1.6.1

Insecure Source URI found: git://github.com/activeadmin/activeadmin.git
Open

  remote: git://github.com/activeadmin/activeadmin.git
Severity: Minor
Found in Gemfile.lock by bundler-audit

CSRF Vulnerability in rails-ujs
Open

    actionview (5.1.4)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-8167

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0

Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1

Insecure Source URI found: git://github.com/activerecord-hackery/ransack.git
Open

  remote: git://github.com/activerecord-hackery/ransack.git
Severity: Minor
Found in Gemfile.lock by bundler-audit

Insecure Source URI found: git://github.com/activeadmin/inherited_resources.git
Open

  remote: git://github.com/activeadmin/inherited_resources.git
Severity: Minor
Found in Gemfile.lock by bundler-audit

Insecure Source URI found: git://github.com/rails/activemodel-serializers-xml.git
Open

  remote: git://github.com/rails/activemodel-serializers-xml.git
Severity: Minor
Found in Gemfile.lock by bundler-audit

Possible Strong Parameters Bypass in ActionPack
Open

    actionpack (5.1.4)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-8164

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY

Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1

Directory traversal in Rack::Directory app bundled with Rack
Open

    rack (2.0.6)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-8161

URL: https://groups.google.com/forum/#!topic/ruby-security-ann/T4ZIsfRf2eA

Solution: upgrade to ~> 2.1.3, >= 2.2.0

Devise Gem for Ruby confirmation token validation with a blank string
Open

    devise (4.6.1)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2019-16109

URL: https://github.com/plataformatec/devise/issues/5071

Solution: upgrade to >= 4.7.1

Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability
Open

    nokogiri (1.10.1)
Severity: Info
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-26247

Criticality: Low

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m

Solution: upgrade to >= 1.11.0.rc4

Percent-encoded cookies can be used to overwrite existing prefixed cookie names
Open

    rack (2.0.6)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-8184

URL: https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak

Solution: upgrade to ~> 2.1.4, >= 2.2.3

Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
Open

    activesupport (5.1.4)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-8165

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c

Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1

Loofah XSS Vulnerability
Open

    loofah (2.2.3)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2019-15587

Criticality: Medium

URL: https://github.com/flavorjones/loofah/issues/171

Solution: upgrade to >= 2.3.1

Method posts has a Cognitive Complexity of 15 (exceeds 5 allowed). Consider refactoring.
Open

    def posts
      csv = parse_csv_file('posts.csv')

      csv.each do |row|
        unless row['wp_post_type'] == 'post' && row['wp_post_status'] == 'publish'
Severity: Minor
Found in lib/import.rb - About 1 hr to fix

Cognitive Complexity

Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.

A method's cognitive complexity is based on a few simple rules:

  • Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
  • Code is considered more complex for each "break in the linear flow of the code"
  • Code is considered more complex when "flow breaking structures are nested"

Further reading

Severity
Category
Status
Source
Language