CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2019-16676
https://notcve.org/view.php?id=CVE-2019-16676
30 Sep 2019 — Plataformatec Simple Form has Incorrect Access Control in file_method? in lib/simple_form/form_builder.rb, because a user-supplied string is invoked as a method call. Plataformatec Simple Form, presenta un Control de Acceso Incorrecto en file_method? en biblioteca lib/simple_form/form_builder.rb, porque una cadena suministrada por el usuario es invocada como una llamada a un método. • http://blog.plataformatec.com.br/2019/09/incorrect-access-control-in-simple-form-cve-2019-16676 • CWE-20: Improper Input Validation •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2019-16109
https://notcve.org/view.php?id=CVE-2019-16109
08 Sep 2019 — An issue was discovered in Plataformatec Devise before 4.7.1. It confirms accounts upon receiving a request with a blank confirmation_token, if a database record has a blank value in the confirmation_token column. (However, there is no scenario within Devise itself in which such database records would exist.) Se detectó un problema en Plataformatec Devise en versiones anteriores a la 4.7.1. Confirma las cuentas al recibir una solicitud con confirmation_token en blanco, si un registro de base de datos tiene ... • https://github.com/plataformatec/devise/compare/v4.7.0...v4.7.1 •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2019-5421
https://notcve.org/view.php?id=CVE-2019-5421
03 Apr 2019 — Plataformatec Devise version 4.5.0 and earlier, using the lockable module contains a CWE-367 vulnerability in The `Devise::Models::Lockable` class, more specifically at the `#increment_failed_attempts` method. File location: lib/devise/models/lockable.rb that can result in Multiple concurrent requests can prevent an attacker from being blocked on brute force attacks. This attack appear to be exploitable via Network connectivity - brute force attacks. This vulnerability appears to have been fixed in 4.6.0 an... • https://github.com/plataformatec/devise/issues/4981 • CWE-307: Improper Restriction of Excessive Authentication Attempts CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVSS: 6.8EPSS: 68%CPEs: 17EXPL: 3CVE-2013-0233 – Ruby on Rails Devise Authentication Password Reset
https://notcve.org/view.php?id=CVE-2013-0233
25 Apr 2013 — Devise gem 2.2.x before 2.2.3, 2.1.x before 2.1.3, 2.0.x before 2.0.5, and 1.5.x before 1.5.4 for Ruby, when using certain databases, does not properly perform type conversion when performing database queries, which might allow remote attackers to cause incorrect results to be returned and bypass security checks via unknown vectors, as demonstrated by resetting passwords of arbitrary accounts. Devise v2.2.x antes de v2.2.3, v2.1.x antes de v2.1.3, v2.0.x antes de v2.0.5, v1.5.x antes de v1.5.4 de Ruby, al u... • https://packetstorm.news/files/id/180861 • CWE-399: Resource Management Errors •