Plataformatec Security Vulnerabilities
Devise gem 2.2.x before 2.2.3, 2.1.x before 2.1.3, 2.0.x before 2.0.5, and 1.5.x before 1.5.4 for Ruby, when using certain databases, does not properly perform type conversion when performing database queries, which might allow remote attackers to cause incorrect results to be returned and bypass s...
7.1AI Score
0.139EPSS
An issue was discovered in Plataformatec Devise before 4.7.1. It confirms accounts upon receiving a request with a blank confirmation_token, if a database record has a blank value in the confirmation_token column. (However, there is no scenario within Devise itself in which such database records wo...
5.3CVSS
5.1AI Score
0.001EPSS
Plataformatec Simple Form has Incorrect Access Control in file_method? in lib/simple_form/form_builder.rb, because a user-supplied string is invoked as a method call.
9.8CVSS
9.3AI Score
0.006EPSS
Plataformatec Devise version 4.5.0 and earlier, using the lockable module contains a CWE-367 vulnerability in The Devise::Models::Lockable class, more specifically at the #increment_failed_attempts method. File location: lib/devise/models/lockable.rb that can result in Multiple concurrent requests ...
9.8CVSS
9.3AI Score
0.003EPSS