Issues - udongo/udongo - Code Climate

Code Injection vulnerability in CarrierWave::RMagick
Open

    carrierwave (0.11.2)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2021-21305

Criticality: High

URL: https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-cf3w-g86h-35x4

Solution: upgrade to ~> 1.3.2, >= 2.1.1

simple_form Gem for Ruby Incorrect Access Control for forms based on user input
Open

    simple_form (3.5.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2019-16676

Criticality: Critical

URL: https://github.com/plataformatec/simple_form/security/advisories/GHSA-r74q-gxcg-73hx

Solution: upgrade to >= 5.0

Server-side request forgery in CarrierWave
Open

    carrierwave (0.11.2)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2021-21288

Criticality: Medium

URL: https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-fwcm-636p-68r5

Solution: upgrade to ~> 1.3.2, >= 2.1.1

ReDoS based DoS vulnerability in GlobalID
Open

    globalid (0.4.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2023-22799

URL: https://github.com/rails/globalid/releases/tag/v1.0.1

Solution: upgrade to >= 1.0.1

Improper Handling of Unexpected Data Type in Nokogiri
Open

    nokogiri (1.8.4)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-29181

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xh29-r2w5-wx8m

Solution: upgrade to >= 1.13.6

Older releases of better_errors open to Cross-Site Request Forgery attack
Open

    better_errors (2.1.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2021-39197

Criticality: Medium

URL: https://github.com/BetterErrors/better_errors/security/advisories/GHSA-w3j4-76qw-wwjm

Solution: upgrade to >= 2.8.0

Inefficient Regular Expression Complexity in Loofah
Open

    loofah (2.2.2)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-23514

Criticality: High

URL: https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh

Solution: upgrade to >= 2.19.1

XML Injection in Xerces Java affects Nokogiri
Open

    nokogiri (1.8.4)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-23437

Criticality: Medium

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xxx9-3xcr-gjj3

Solution: upgrade to >= 1.13.4

Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability
Open

    nokogiri (1.8.4)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-26247

Criticality: Low

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m

Solution: upgrade to >= 1.11.0.rc4

Possible Strong Parameters Bypass in ActionPack
Open

    actionpack (5.0.7)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-8164

Criticality: High

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY

Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1

Denial of Service Vulnerability in ActiveRecord’s PostgreSQL adapter
Open

    activerecord (5.0.7)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-44566

URL: https://github.com/rails/rails/releases/tag/v7.0.4.1

Solution: upgrade to >= 5.2.8.15, ~> 5.2.8, >= 6.1.7.1, ~> 6.1.7, >= 7.0.4.1

Possible RCE escalation bug with Serialized Columns in Active Record
Open

    activerecord (5.0.7)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-32224

Criticality: Critical

URL: https://groups.google.com/g/rubyonrails-security/c/MmFO3LYQE8U

Solution: upgrade to >= 5.2.8.1, ~> 5.2.8, >= 6.0.5.1, ~> 6.0.5, >= 6.1.6.1, ~> 6.1.6, >= 7.0.3.1

Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
Open

    activesupport (5.0.7)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-8165

Criticality: Critical

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c

Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1

Regular Expression Denial of Service in Addressable templates
Open

    addressable (2.4.0)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2021-32740

Criticality: High

URL: https://github.com/advisories/GHSA-jxhc-q857-3j6g

Solution: upgrade to >= 2.8.0

Nokogiri gem, via libxslt, is affected by improper access control vulnerability
Open

    nokogiri (1.8.4)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2019-11068

URL: https://github.com/sparklemotion/nokogiri/issues/1892

Solution: upgrade to >= 1.10.3

Improper neutralization of data URIs may allow XSS in rails-html-sanitizer
Open

    rails-html-sanitizer (1.0.4)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-23518

Criticality: Medium

URL: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-mcvf-2q2m-x72m

Solution: upgrade to >= 1.4.4

Denial of Service (DoS) in Nokogiri on JRuby
Open

    nokogiri (1.8.4)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-24839

Criticality: High

URL: https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv

Solution: upgrade to >= 1.13.4

Possible Information Disclosure / Unintended Method Execution in Action Pack
Open

    actionpack (5.0.7)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2021-22885

Criticality: High

URL: https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI

Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, >= 6.0.3.7, ~> 6.0.3, >= 6.1.3.2

Inefficient Regular Expression Complexity in Nokogiri
Open

    nokogiri (1.8.4)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-24836

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5-ghw8

Solution: upgrade to >= 1.13.4

Possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer
Open

    rails-html-sanitizer (1.0.4)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-32209

Criticality: Medium

URL: https://groups.google.com/g/rubyonrails-security/c/ce9PhUANQ6s

Solution: upgrade to >= 1.4.3

udongo/udongo

Showing 1,029 of 1,029 total issues

Code Injection vulnerability in CarrierWave::RMagick
Open

simple_form Gem for Ruby Incorrect Access Control for forms based on user input
Open

Server-side request forgery in CarrierWave
Open

ReDoS based DoS vulnerability in GlobalID
Open

Improper Handling of Unexpected Data Type in Nokogiri
Open

Older releases of better_errors open to Cross-Site Request Forgery attack
Open

Inefficient Regular Expression Complexity in Loofah
Open

XML Injection in Xerces Java affects Nokogiri
Open

Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability
Open

Possible Strong Parameters Bypass in ActionPack
Open

Denial of Service Vulnerability in ActiveRecord’s PostgreSQL adapter
Open

Possible RCE escalation bug with Serialized Columns in Active Record
Open

Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
Open

Regular Expression Denial of Service in Addressable templates
Open

Nokogiri gem, via libxslt, is affected by improper access control vulnerability
Open

Improper neutralization of data URIs may allow XSS in rails-html-sanitizer
Open

Denial of Service (DoS) in Nokogiri on JRuby
Open

Possible Information Disclosure / Unintended Method Execution in Action Pack
Open

Inefficient Regular Expression Complexity in Nokogiri
Open

Possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer
Open

Severity

Category

Status

Source

Language

udongo/udongo

Showing 1,029 of 1,029 total issues

Code Injection vulnerability in CarrierWave::RMagick Open

simple_form Gem for Ruby Incorrect Access Control for forms based on user input Open

Server-side request forgery in CarrierWave Open

ReDoS based DoS vulnerability in GlobalID Open

Improper Handling of Unexpected Data Type in Nokogiri Open

Older releases of better_errors open to Cross-Site Request Forgery attack Open

Inefficient Regular Expression Complexity in Loofah Open

XML Injection in Xerces Java affects Nokogiri Open

Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability Open

Possible Strong Parameters Bypass in ActionPack Open

Denial of Service Vulnerability in ActiveRecord’s PostgreSQL adapter Open

Possible RCE escalation bug with Serialized Columns in Active Record Open

Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore Open

Regular Expression Denial of Service in Addressable templates Open

Nokogiri gem, via libxslt, is affected by improper access control vulnerability Open

Improper neutralization of data URIs may allow XSS in rails-html-sanitizer Open

Denial of Service (DoS) in Nokogiri on JRuby Open

Possible Information Disclosure / Unintended Method Execution in Action Pack Open

Inefficient Regular Expression Complexity in Nokogiri Open

Possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer Open

Severity

Category

Status

Source

Language

Code Injection vulnerability in CarrierWave::RMagick
Open

simple_form Gem for Ruby Incorrect Access Control for forms based on user input
Open

Server-side request forgery in CarrierWave
Open

ReDoS based DoS vulnerability in GlobalID
Open

Improper Handling of Unexpected Data Type in Nokogiri
Open

Older releases of better_errors open to Cross-Site Request Forgery attack
Open

Inefficient Regular Expression Complexity in Loofah
Open

XML Injection in Xerces Java affects Nokogiri
Open

Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability
Open

Possible Strong Parameters Bypass in ActionPack
Open

Denial of Service Vulnerability in ActiveRecord’s PostgreSQL adapter
Open

Possible RCE escalation bug with Serialized Columns in Active Record
Open

Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
Open

Regular Expression Denial of Service in Addressable templates
Open

Nokogiri gem, via libxslt, is affected by improper access control vulnerability
Open

Improper neutralization of data URIs may allow XSS in rails-html-sanitizer
Open

Denial of Service (DoS) in Nokogiri on JRuby
Open

Possible Information Disclosure / Unintended Method Execution in Action Pack
Open

Inefficient Regular Expression Complexity in Nokogiri
Open

Possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer
Open