Issues - nhironaka/maitri-app

Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
Open

    activesupport (4.2.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-8165

Criticality: Critical

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c

Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1

Percent-encoded cookies can be used to overwrite existing prefixed cookie names
Open

    rack (1.6.4)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-8184

Criticality: High

URL: https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak

Solution: upgrade to ~> 2.1.4, >= 2.2.3

Denial of Service Vulnerability in Rack Content-Disposition parsing
Open

    rack (1.6.4)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-44571

URL: https://github.com/rack/rack/releases/tag/v3.0.4.1

Solution: upgrade to >= 2.0.9.2, ~> 2.0.9, >= 2.1.4.2, ~> 2.1.4, >= 2.2.6.1, ~> 2.2.6, >= 3.0.4.1

Possible Strong Parameters Bypass in ActionPack
Open

    actionpack (4.2.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-8164

Criticality: High

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY

Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1

Denial of Service Vulnerability in Rack Multipart Parsing
Open

    rack (1.6.4)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-30122

Criticality: High

URL: https://groups.google.com/g/ruby-security-ann/c/L2Axto442qk

Solution: upgrade to >= 2.0.9.1, ~> 2.0.9, >= 2.1.4.1, ~> 2.1.4, >= 2.2.3.1

RDoc OS command injection vulnerability
Open

    rdoc (4.2.2)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2021-31799

Criticality: High

URL: https://www.ruby-lang.org/en/news/2021/05/02/os-command-injection-in-rdoc/

Solution: upgrade to ~> 6.1.2.1, ~> 6.2.1.1, >= 6.3.1

Loofah XSS Vulnerability
Open

    loofah (2.0.3)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2019-15587

Criticality: Medium

URL: https://github.com/flavorjones/loofah/issues/171

Solution: upgrade to >= 2.3.1

Prototype pollution attack through jQuery $.extend
Open

    jquery-rails (4.1.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2019-11358

Criticality: Medium

URL: https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/

Solution: upgrade to >= 4.3.4

Update packaged dependency libxml2 from 2.9.10 to 2.9.12
Open

    nokogiri (1.6.7.2)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory:

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-7rrm-v45f-jp64

Solution: upgrade to >= 1.11.4

Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35)
Open

    nokogiri (1.6.7.2)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2021-30560

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-fq42-c5rg-92c2

Solution: upgrade to >= 1.13.2

Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
Open

    nokogiri (1.6.7.2)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2018-14404

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/issues/1785

Solution: upgrade to >= 1.8.5

Potential XSS vulnerability in jQuery
Open

    jquery-rails (4.1.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-11023

Criticality: Medium

URL: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released

Solution: upgrade to >= 4.4.0

Loofah XSS Vulnerability
Open

    loofah (2.0.3)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2018-16468

Criticality: Medium

URL: https://github.com/flavorjones/loofah/issues/154

Solution: upgrade to >= 2.2.3

Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities
Open

    nokogiri (1.6.7.2)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2017-9050

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/issues/1673

Solution: upgrade to >= 1.8.1

Improper neutralization of data URIs may allow XSS in rails-html-sanitizer
Open

    rails-html-sanitizer (1.0.3)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-23518

Criticality: Medium

URL: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-mcvf-2q2m-x72m

Solution: upgrade to >= 1.4.4

XML Injection in Xerces Java affects Nokogiri
Open

    nokogiri (1.6.7.2)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-23437

Criticality: Medium

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xxx9-3xcr-gjj3

Solution: upgrade to >= 1.13.4

Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby
Open

    nokogiri (1.6.7.2)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2021-41098

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2rr5-8q37-2w7h

Solution: upgrade to >= 1.12.5

Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29
Open

    nokogiri (1.6.7.2)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2017-5029

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/issues/1634

Solution: upgrade to >= 1.7.2

Possible XSS vulnerability with certain configurations of rails-html-sanitizer
Open

    rails-html-sanitizer (1.0.3)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-23519

Criticality: Medium

URL: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-9h9g-93gc-623h

Solution: upgrade to >= 1.4.4

Update bundled libxml2 to v2.10.3 to resolve multiple CVEs
Open

    nokogiri (1.6.7.2)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory:

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2qc6-mcvw-92cw

Solution: upgrade to >= 1.13.9

nhironaka/maitri-app

Showing 226 of 226 total issues

Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
Open

Percent-encoded cookies can be used to overwrite existing prefixed cookie names
Open

Denial of Service Vulnerability in Rack Content-Disposition parsing
Open

Possible Strong Parameters Bypass in ActionPack
Open

Denial of Service Vulnerability in Rack Multipart Parsing
Open

RDoc OS command injection vulnerability
Open

Loofah XSS Vulnerability
Open

Prototype pollution attack through jQuery $.extend
Open

Update packaged dependency libxml2 from 2.9.10 to 2.9.12
Open

Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35)
Open

Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
Open

Potential XSS vulnerability in jQuery
Open

Loofah XSS Vulnerability
Open

Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities
Open

Improper neutralization of data URIs may allow XSS in rails-html-sanitizer
Open

XML Injection in Xerces Java affects Nokogiri
Open

Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby
Open

Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29
Open

Possible XSS vulnerability with certain configurations of rails-html-sanitizer
Open

Update bundled libxml2 to v2.10.3 to resolve multiple CVEs
Open

Severity

Category

Status

Source

Language

nhironaka/maitri-app

Showing 226 of 226 total issues

Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore Open

Percent-encoded cookies can be used to overwrite existing prefixed cookie names Open

Denial of Service Vulnerability in Rack Content-Disposition parsing Open

Possible Strong Parameters Bypass in ActionPack Open

Denial of Service Vulnerability in Rack Multipart Parsing Open

RDoc OS command injection vulnerability Open

Loofah XSS Vulnerability Open

Prototype pollution attack through jQuery $.extend Open

Update packaged dependency libxml2 from 2.9.10 to 2.9.12 Open

Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35) Open

Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Open

Potential XSS vulnerability in jQuery Open

Loofah XSS Vulnerability Open

Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities Open

Improper neutralization of data URIs may allow XSS in rails-html-sanitizer Open

XML Injection in Xerces Java affects Nokogiri Open

Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby Open

Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29 Open

Possible XSS vulnerability with certain configurations of rails-html-sanitizer Open

Update bundled libxml2 to v2.10.3 to resolve multiple CVEs Open

Severity

Category

Status

Source

Language

Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
Open

Percent-encoded cookies can be used to overwrite existing prefixed cookie names
Open

Denial of Service Vulnerability in Rack Content-Disposition parsing
Open

Possible Strong Parameters Bypass in ActionPack
Open

Denial of Service Vulnerability in Rack Multipart Parsing
Open

RDoc OS command injection vulnerability
Open

Loofah XSS Vulnerability
Open

Prototype pollution attack through jQuery $.extend
Open

Update packaged dependency libxml2 from 2.9.10 to 2.9.12
Open

Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35)
Open

Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
Open

Potential XSS vulnerability in jQuery
Open

Loofah XSS Vulnerability
Open

Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities
Open

Improper neutralization of data URIs may allow XSS in rails-html-sanitizer
Open

XML Injection in Xerces Java affects Nokogiri
Open

Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby
Open

Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29
Open

Possible XSS vulnerability with certain configurations of rails-html-sanitizer
Open

Update bundled libxml2 to v2.10.3 to resolve multiple CVEs
Open