Showing 266 of 266 total issues
Improper neutralization of noscript
element content may allow XSS in Sanitize Open
sanitize (5.0.0)
- Read upRead up
- Exclude checks
Advisory: CVE-2023-23627
Criticality: Medium
URL: https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7
Solution: upgrade to >= 6.0.1
Information Exposure with Puma when used with Rails Open
puma (3.12.0)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-23634
Criticality: High
URL: https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h
Solution: upgrade to ~> 4.3.11, >= 5.6.2
simple_form Gem for Ruby Incorrect Access Control for forms based on user input Open
simple_form (4.0.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2019-16676
Criticality: Critical
URL: https://github.com/plataformatec/simple_form/security/advisories/GHSA-r74q-gxcg-73hx
Solution: upgrade to >= 5.0
Keepalive Connections Causing Denial Of Service in puma Open
puma (3.12.0)
- Read upRead up
- Exclude checks
Advisory: CVE-2021-29509
Criticality: High
URL: https://github.com/puma/puma/security/advisories/GHSA-q28m-8xjw-8vr5
Solution: upgrade to ~> 4.3.8, >= 5.3.1
HTTP Request Smuggling in puma Open
puma (3.12.0)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-24790
Criticality: Critical
URL: https://github.com/puma/puma/security/advisories/GHSA-h99w-9q5r-gjq9
Solution: upgrade to ~> 4.3.12, >= 5.6.4
CSRF vulnerability in OmniAuth's request phase Open
omniauth (1.8.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2015-9284
Criticality: High
URL: https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284
Solution: upgrade to >= 2.0.0
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in puma Open
puma (3.12.0)
- Read upRead up
- Exclude checks
Advisory: CVE-2021-41136
Criticality: Low
URL: https://github.com/puma/puma/security/advisories/GHSA-48w2-rm65-62xx
Solution: upgrade to ~> 4.3.9, >= 5.5.1
Information Disclosure Through EXPLAIN Feature Open
pghero (2.2.0)
- Read upRead up
- Exclude checks
Advisory: CVE-2023-22626
Criticality: High
URL: https://github.com/ankane/pghero/issues/439
Solution: upgrade to >= 3.1.0
Improper one time password handling in devise-two-factor Open
devise-two-factor (3.0.3)
- Read upRead up
- Exclude checks
Advisory: CVE-2021-43177
Criticality: Medium
URL: https://github.com/tinfoil/devise-two-factor/security/advisories/GHSA-jm35-h8q2-73mp
Solution: upgrade to >= 4.0.2
ReDoS based DoS vulnerability in GlobalID Open
globalid (0.4.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2023-22799
URL: https://github.com/rails/globalid/releases/tag/v1.0.1
Solution: upgrade to >= 1.0.1
Class has too many lines. [359/300] Open
class Status < ApplicationRecord
before_destroy :unlink_from_conversations
include Paginable
include Streamable
- Read upRead up
- Exclude checks
This cop checks if the length a class exceeds some maximum value. Comment lines can optionally be ignored. The maximum allowed length is configurable.
Devise Gem for Ruby Time-of-check Time-of-use race condition with lockable module Open
devise (4.5.0)
- Read upRead up
- Exclude checks
Advisory: CVE-2019-5421
Criticality: Critical
URL: https://github.com/plataformatec/devise/issues/4981
Solution: upgrade to >= 4.6.0
Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby Open
nokogiri (1.8.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2021-41098
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2rr5-8q37-2w7h
Solution: upgrade to >= 1.12.5
Improper neutralization of data URIs may allow XSS in rails-html-sanitizer Open
rails-html-sanitizer (1.0.4)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-23518
Criticality: Medium
URL: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-mcvf-2q2m-x72m
Solution: upgrade to >= 1.4.4
JMESPath for Ruby using JSON.load instead of JSON.parse Open
jmespath (1.4.0)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-32511
Criticality: Critical
URL: https://github.com/jmespath/jmespath.rb/pull/55
Solution: upgrade to >= 1.6.1
Inefficient Regular Expression Complexity in Loofah Open
loofah (2.2.3)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-23514
Criticality: High
URL: https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh
Solution: upgrade to >= 2.19.1
XML Injection in Xerces Java affects Nokogiri Open
nokogiri (1.8.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-23437
Criticality: Medium
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xxx9-3xcr-gjj3
Solution: upgrade to >= 1.13.4
Out-of-bounds Write in zlib affects Nokogiri Open
nokogiri (1.8.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2018-25032
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v6gp-9mmm-c6p5
Solution: upgrade to >= 1.13.4
Improper Handling of Unexpected Data Type in Nokogiri Open
nokogiri (1.8.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-29181
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xh29-r2w5-wx8m
Solution: upgrade to >= 1.13.6
OmniAuth's lib/omniauth/failure_endpoint.rb
does not escape message_key
value Open
omniauth (1.8.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-36599
Criticality: Critical
Solution: upgrade to ~> 1.9.2, >= 2.0.0