CVE-2020-36190
https://notcve.org/view.php?id=CVE-2020-36190
RailsAdmin (aka rails_admin) before 1.4.3 and 2.x before 2.0.2 allows XSS via nested forms. RailsAdmin (también se conoce como rails_admin) versiones anteriores a 1.4.3 y versiones 2.x anteriores a 2.0.2, permite un ataque de tipo XSS por medio de formularios anidados • https://github.com/sferik/rails_admin/blob/master/README.md https://github.com/sferik/rails_admin/commit/d72090ec6a07c3b9b7b48ab50f3d405f91ff4375 https://github.com/sferik/rails_admin/compare/v1.4.2...v1.4.3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2016-10522
https://notcve.org/view.php?id=CVE-2016-10522
rails_admin ruby gem <v1.1.1 is vulnerable to cross-site request forgery (CSRF) attacks. Non-GET methods were not validating CSRF tokens and, as a result, an attacker could hypothetically gain access to the application administrative endpoints exposed by the gem. La gema de ruby rails_admin ruby gem en versiones anteriores a la v1.1.1 es vulnerable a ataques de Cross-Site Request Forgery (CSRF). Los métodos non-GET no validaban los tokens CSRF y, como resultado, un atacante podría obtener acceso a los endpoints administrativos de la aplicación expuestos por la gema. • https://github.com/sferik/rails_admin/commit/b13e879eb93b661204e9fb5e55f7afa4f397537a https://www.sourceclear.com/blog/Rails_admin-Vulnerability-Disclosure https://www.sourceclear.com/registry/security/cross-site-request-forgery-csrf-/ruby/sid-3173 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2017-12098
https://notcve.org/view.php?id=CVE-2017-12098
An exploitable cross site scripting (XSS) vulnerability exists in the add filter functionality of the rails_admin rails gem version 1.2.0. A specially crafted URL can cause an XSS flaw resulting in an attacker being able to execute arbitrary javascript on the victim's browser. An attacker can phish an authenticated user to trigger this vulnerability. Existe una vulnerabilidad de Cross-Site Scripting (XSS) explotable en la funcionalidad add filter de la gema de rails rails_admin en su versión 1.2.0. Una URL especialmente manipulada puede provocar un error de XSS, lo que lleva a que un atacante pueda ejecutar JavaScript arbitrario en el navegador de la víctima. • http://www.securityfocus.com/bid/102486 https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0450 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •