5078 matches found
CVE-2023-50448
In ActiveAdmin aka Active Admin before 2.12.0, a concurrency issue allows a malicious actor to access potentially private data that belongs to another user by making CSV export requests at certain specific times...
Code injection
In ActiveAdmin aka Active Admin before 2.12.0, a concurrency issue allows a malicious actor to access potentially private data that belongs to another user by making CSV export requests at certain specific times...
ActiveAdmin CSV Injection leading to sensitive information disclosure
Impact In ActiveAdmin versions prior to 3.2.0, maliciously crafted spreadsheet formulas could be uploaded as part of admin data that, when exported to a CSV file and the imported to a spreadsheet program like libreoffice, could lead to remote code execution and private data exfiltration. The...
GHSA-XHVV-3JWW-C487 ActiveAdmin CSV Injection leading to sensitive information disclosure
Impact In ActiveAdmin versions prior to 3.2.0, maliciously crafted spreadsheet formulas could be uploaded as part of admin data that, when exported to a CSV file and the imported to a spreadsheet program like libreoffice, could lead to remote code execution and private data exfiltration. The...
Active Admin security vulnerability
Active Admin is Active Admin open source a Ruby on Rails framework . It is used to create a backend for website management. A security vulnerability exists in versions prior to Active Admin 2.12.0 that originated from allowing an attacker to access another user's private data by initiating a CSV...
PT-2023-23280 · Unknown · Sesami Cash Point & Transport Optimizer
Name of the Vulnerable Software and Affected Versions: Sesami Cash Point & Transport Optimizer CPTO version 6.3.8.6 Description: The issue allows remote attackers to obtain sensitive information via the Delivery Name field. This is a result of a CSV Injection vulnerability. Recommendations: For...
CVE-2023-50448
Summary: CVE-2023-50448 affects ActiveAdmin (Ruby on Rails) before 2.12.0, where a concurrency issue in the CSV export path can let a user access data belonging to another user. The root cause is a shared, unsynchronized variable that holds the collection to be exported, allowing timing-based lea...
PT-2023-23282 · Unknown · Sesami Cash Point & Transport Optimizer
Name of the Vulnerable Software and Affected Versions: Sesami Cash Point & Transport Optimizer CPTO version 6.3.8.6 Description: The issue allows attackers to obtain sensitive information via the User Name field. This is a CSV Injection vulnerability, which can be exploited to gain unauthorized...
CVE-2023-50448
In ActiveAdmin aka Active Admin before 2.12.0, a concurrency issue allows a malicious actor to access potentially private data that belongs to another user by making CSV export requests at certain specific times...
Potential CSV export data leak
Impact In ActiveAdmin versions prior to 2.12.0, a concurrency issue was found that could allow a malicious actor to be able to access potentially private data that belongs to another user. The bug affects the functionality to export data as CSV files, and was caused by a variable holding the...
CSV Injection
Active Admin is vulnerable to CSV Injection. This vulnerability is due to missing sanitization while exporting a CSV file. An attacker can inject malicious data to a CSV file such as =, +, -', @, \t, \r which results in arbitrary macro execution if the csv file is opened in software such as excel...
GHSA-RQXC-9P8H-XQGQ Duplicate Advisory: ActiveAdmin vulnerable to CSV injection
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-xhvv-3jww-c487. This link is maintained to preserve external references. Original Description csvbuilder.rb in ActiveAdmin aka Active Admin before 3.2.0 allows CSV injection...
Duplicate Advisory: ActiveAdmin vulnerable to CSV injection
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-xhvv-3jww-c487. This link is maintained to preserve external references. Original Description csvbuilder.rb in ActiveAdmin aka Active Admin before 3.2.0 allows CSV injection...
CVE-2023-51763
csvbuilder.rb in ActiveAdmin aka Active Admin before 3.2.0 allows CSV injection...
CVE-2023-51763
csvbuilder.rb in ActiveAdmin aka Active Admin before 3.2.0 allows CSV injection...
Input validation
csvbuilder.rb in ActiveAdmin aka Active Admin before 3.2.0 allows CSV injection...
CVE-2023-51763
ActiveAdmin CSV injection CVE-2023-51763 affects csv_builder.rb in ActiveAdmin prior to 3.2.0. The underlying issue is that spreadsheet formulas could be uploaded/exported via CSV, allowing injection when opened in programs like LibreOffice. The Red Hat and GitHub advisories corroborate the issue...
CVE-2023-51763
csvbuilder.rb in ActiveAdmin aka Active Admin before 3.2.0 allows CSV injection...
ActiveAdmin vulnerable to CSV injection
csvbuilder.rb in ActiveAdmin aka Active Admin before 3.2.0 allows CSV injection...
ActiveAdmin vulnerable to CSV injection
csvbuilder.rb in ActiveAdmin aka Active Admin before 3.2.0 allows CSV injection...