CVE-2020-36190
https://notcve.org/view.php?id=CVE-2020-36190
RailsAdmin (aka rails_admin) before 1.4.3 and 2.x before 2.0.2 allows XSS via nested forms. RailsAdmin (también se conoce como rails_admin) versiones anteriores a 1.4.3 y versiones 2.x anteriores a 2.0.2, permite un ataque de tipo XSS por medio de formularios anidados • https://github.com/sferik/rails_admin/blob/master/README.md https://github.com/sferik/rails_admin/commit/d72090ec6a07c3b9b7b48ab50f3d405f91ff4375 https://github.com/sferik/rails_admin/compare/v1.4.2...v1.4.3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2016-10522
https://notcve.org/view.php?id=CVE-2016-10522
rails_admin ruby gem <v1.1.1 is vulnerable to cross-site request forgery (CSRF) attacks. Non-GET methods were not validating CSRF tokens and, as a result, an attacker could hypothetically gain access to the application administrative endpoints exposed by the gem. La gema de ruby rails_admin ruby gem en versiones anteriores a la v1.1.1 es vulnerable a ataques de Cross-Site Request Forgery (CSRF). Los métodos non-GET no validaban los tokens CSRF y, como resultado, un atacante podría obtener acceso a los endpoints administrativos de la aplicación expuestos por la gema. • https://github.com/sferik/rails_admin/commit/b13e879eb93b661204e9fb5e55f7afa4f397537a https://www.sourceclear.com/blog/Rails_admin-Vulnerability-Disclosure https://www.sourceclear.com/registry/security/cross-site-request-forgery-csrf-/ruby/sid-3173 • CWE-352: Cross-Site Request Forgery (CSRF) •