CVE-2019-16676
https://notcve.org/view.php?id=CVE-2019-16676
Plataformatec Simple Form has Incorrect Access Control in file_method? in lib/simple_form/form_builder.rb, because a user-supplied string is invoked as a method call. Plataformatec Simple Form, presenta un Control de Acceso Incorrecto en file_method? en biblioteca lib/simple_form/form_builder.rb, porque una cadena suministrada por el usuario es invocada como una llamada a un método. • http://blog.plataformatec.com.br/2019/09/incorrect-access-control-in-simple-form-cve-2019-16676 https://github.com/plataformatec/simple_form/commits/master https://github.com/plataformatec/simple_form/security/advisories/GHSA-r74q-gxcg-73hx • CWE-20: Improper Input Validation •
CVE-2019-16109
https://notcve.org/view.php?id=CVE-2019-16109
An issue was discovered in Plataformatec Devise before 4.7.1. It confirms accounts upon receiving a request with a blank confirmation_token, if a database record has a blank value in the confirmation_token column. (However, there is no scenario within Devise itself in which such database records would exist.) Se detectó un problema en Plataformatec Devise en versiones anteriores a la 4.7.1. Confirma las cuentas al recibir una solicitud con confirmation_token en blanco, si un registro de base de datos tiene un valor en blanco en la columna confirmation_token. • https://github.com/plataformatec/devise/compare/v4.7.0...v4.7.1 https://github.com/plataformatec/devise/issues/5071 https://github.com/plataformatec/devise/pull/5132 •
CVE-2019-5421
https://notcve.org/view.php?id=CVE-2019-5421
Plataformatec Devise version 4.5.0 and earlier, using the lockable module contains a CWE-367 vulnerability in The `Devise::Models::Lockable` class, more specifically at the `#increment_failed_attempts` method. File location: lib/devise/models/lockable.rb that can result in Multiple concurrent requests can prevent an attacker from being blocked on brute force attacks. This attack appear to be exploitable via Network connectivity - brute force attacks. This vulnerability appears to have been fixed in 4.6.0 and later. Mediante la utilización del módulo bloqueable, Plataformatec Devise, en versiones 4.5.0 y anteriores, contiene una vulnerabilidad CWE-367 en la clase "Devise::Models::Lockable", más específicamente en el método "#increment_failed_attempts". • https://github.com/plataformatec/devise/issues/4981 https://github.com/plataformatec/devise/pull/4996 • CWE-307: Improper Restriction of Excessive Authentication Attempts CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVE-2013-0233 – Ruby On Rails Devise Authentication Password Reset
https://notcve.org/view.php?id=CVE-2013-0233
Devise gem 2.2.x before 2.2.3, 2.1.x before 2.1.3, 2.0.x before 2.0.5, and 1.5.x before 1.5.4 for Ruby, when using certain databases, does not properly perform type conversion when performing database queries, which might allow remote attackers to cause incorrect results to be returned and bypass security checks via unknown vectors, as demonstrated by resetting passwords of arbitrary accounts. Devise v2.2.x antes de v2.2.3, v2.1.x antes de v2.1.3, v2.0.x antes de v2.0.5, v1.5.x antes de v1.5.4 de Ruby, al utilizar ciertas bases de datos, no funciona correctamente cuando se realiza la conversión de tipos consultas de base de datos, lo que podría permitir a atacantes remotos provocar resultados incorrectos para ser devueltos y eludir los controles de seguridad a través de vectores desconocidos, como lo demuestra restablecer las contraseñas de las cuentas arbitrarias. • http://blog.plataformatec.com.br/2013/01/security-announcement-devise-v2-2-3-v2-1-3-v2-0-5-and-v1-5-3-released http://lists.opensuse.org/opensuse-updates/2013-03/msg00000.html http://www.metasploit.com/modules/auxiliary/admin/http/rails_devise_pass_reset http://www.openwall.com/lists/oss-security/2013/01/29/3 http://www.phenoelit.org/blog/archives/2013/02/05/mysql_madness_and_rails/index.html http://www.securityfocus.com/bid/57577 https://github.com/Snorby/snorby/i • CWE-399: Resource Management Errors •