昨年発売された新型iPad Proには、iPhoneで先行していたFace ID技術が搭載されました…
[activemodel] Duplicate Advisory: Moderate severity vulnerability that affects activemodel
Duplicate advisory
This advisory has been withdrawn because it is a duplicate of GHSA-543v-gj2c-r3ch. This link is maintained to preserve external references.
Original Description
Active Model in Ruby on Rails 4.1.x before 4.1.14.1, 4.2.x before 4.2.5….
[ember-source] ember-source Cross-site Scripting vulnerability
Cross-site scripting (XSS) vulnerability in the link-to helper in Ember.js 1.2.x before 1.2.2, 1.3.x before 1.3.2, and 1.4.x before 1.4.0-beta.6, when used in non-block form, allows remote attackers to inject arbitrary web script or HTML via the title …
[rest-client] rest-client vulnerable to Session Fixation
REST client for Ruby (aka rest-client) versions 1.6.1.a until 1.8.0 allow remote attackers to conduct session fixation attacks or obtain sensitive cookie information by leveraging passage of cookies set in a response to a redirect.
References
https://…
[tough-cookie] Regular Expression Denial of Service in tough-cookie
Affected versions of tough-cookie are susceptible to a regular expression denial of service.
The amplification on this vulnerability is relatively low – it takes around 2 seconds for the engine to execute on a malicious input which is 50,000 characters…
[sanitize] Sanitize vulnerable to Improper Input Validation and Cross-site Scripting
When Sanitize <= 4.6.2 is used in combination with libxml2 >= 2.9.2, a specially crafted HTML fragment can cause libxml2 to generate improperly escaped output, allowing non-whitelisted attributes to be used on whitelisted elements.
This can allow…
[rack-protection] rack-protection Observable Discrepancy vulnerability
Sinatra rack-protection versions 1.5.4 and 2.0.0.rc3 and earlier contains a timing attack vulnerability in the CSRF token checking that can result in signatures can be exposed. This attack appear to be exploitable via network connectivity to the ruby a…
[sinatra] Sinatra Path Traversal vulnerability
An issue was discovered in rack-protection/lib/rack/protection/path_traversal.rb in Sinatra 2.x before 2.0.1 on Windows. Path traversal is possible via backslash characters.
References
https://nvd.nist.gov/vuln/detail/CVE-2018-7212
https://github.com/…
[lynx] lynx doesn’t properly sanitize user input and exposes database password to unauthorized users
The lynx gem prior to 1.0.0 for Ruby places the configured password on command lines, which allows local users to obtain sensitive information by listing processes.
As of version 1.0.0, lynx no longer supports a –password option. Passwords are only co…
[omniauth-oauth2] omniauth-oauth2 Cross-Site Request Forgery vulnerability
Cross-site request forgery (CSRF) vulnerability in the omniauth-oauth2 gem prior to 1.1.1 for Ruby allows remote attackers to hijack the authentication of users for requests that modify session state.
References
https://nvd.nist.gov/vuln/detail/CVE-20…