46 matches found
CVE-2023-50448
In ActiveAdmin aka Active Admin before 2.12.0, a concurrency issue allows a malicious actor to access potentially private data that belongs to another user by making CSV export requests at certain specific times...
CVE-2023-51763
csvbuilder.rb in ActiveAdmin aka Active Admin before 3.2.0 allows CSV injection...
@briza/air (>=0.1.21 <=0.1.22), @doorons/do-ui (>=1.1.3 <=1.3.6) +7 more potentially affected by CVE-2024-9440 via slim-select (=2.13.1)
slim-select NPM version =2.13.1 is affected by a known vulnerability. The following packages have a transitive dependency on slim-select and may be impacted: - @briza/air =0.1.21, =1.1.3, =0.7.0-beta.2, =0.4.0-beta.8, =4.2.6-alpha.16, =1.0.2, =2.0.0-beta.0, =1.0.9, =2.2.2 Source cves: CVE-2024-94...
Malicious code in activeadmin_mongoid-localize (RubyGems)
--- -= Per source details. Do not edit below this line.=-...
MAL-2024-6451 Malicious code in activeadmin-jfu_upload (RubyGems)
--- -= Per source details. Do not edit below this line.=-...
Malicious code in activeadmin-jfu_upload (RubyGems)
--- -= Per source details. Do not edit below this line.=-...
MAL-2024-6452 Malicious code in activeadmin-searchable-select (RubyGems)
--- -= Per source details. Do not edit below this line.=-...
Malicious code in activeadmin-searchable-select (RubyGems)
--- -= Per source details. Do not edit below this line.=-...
Malicious code in activeadmin-globalize_inputs (RubyGems)
--- -= Per source details. Do not edit below this line.=-...
MAL-2024-6450 Malicious code in activeadmin-globalize_inputs (RubyGems)
--- -= Per source details. Do not edit below this line.=-...
MAL-2024-6453 Malicious code in ActiveAdmin_Globalize3-inputs (RubyGems)
--- -= Per source details. Do not edit below this line.=-...
Cross-site Scripting (XSS)
activeadmin is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper sanitization of user input in dynamic legends, which allows for the injection of arbitrary JavaScript code when creating entities with names that include a script payload...
activeadmin vulnerable to stored persistent cross-site scripting (XSS) in dynamic form legends
Impact Users settings their active admin form legends dynamically may be vulnerable to stored XSS, as long as its value can be injected directly by a malicious user. For example: A public web application allows users to create entities with arbitrary names. Active Admin is used to administrate...
GHSA-9MG6-X45V-HCFM activeadmin vulnerable to stored persistent cross-site scripting (XSS) in dynamic form legends
Impact Users settings their active admin form legends dynamically may be vulnerable to stored XSS, as long as its value can be injected directly by a malicious user. For example: A public web application allows users to create entities with arbitrary names. Active Admin is used to administrate...
activeadmin vulnerable to stored persistent cross-site scripting (XSS) in dynamic form legends
Impact Users settings their active admin form legends dynamically may be vulnerable to stored XSS, as long as its value can be injected directly by a malicious user. For example: A public web application allows users to create entities with arbitrary names. Active Admin is used to administrate...
activeadmin vulnerable to stored persistent cross-site scripting (XSS) in dynamic form legends
Users settings their active admin form legends dynamically may be vulnerable to stored XSS, as long as its value can be injected directly by a malicious user. For example: A public web application allows users to create entities with arbitrary names. Active Admin is used to administrate these...
CVE-2023-50448
In ActiveAdmin aka Active Admin before 2.12.0, a concurrency issue allows a malicious actor to access potentially private data that belongs to another user by making CSV export requests at certain specific times...
CVE-2023-50448
In ActiveAdmin aka Active Admin before 2.12.0, a concurrency issue allows a malicious actor to access potentially private data that belongs to another user by making CSV export requests at certain specific times...
Code injection
In ActiveAdmin aka Active Admin before 2.12.0, a concurrency issue allows a malicious actor to access potentially private data that belongs to another user by making CSV export requests at certain specific times...
ActiveAdmin CSV Injection leading to sensitive information disclosure
Impact In ActiveAdmin versions prior to 3.2.0, maliciously crafted spreadsheet formulas could be uploaded as part of admin data that, when exported to a CSV file and the imported to a spreadsheet program like libreoffice, could lead to remote code execution and private data exfiltration. The...