3 matches found
CVE-2019-16109
CVE-2019-16109 affects Plataformatec Devise before 4.7.1. The flaw allows account confirmation when a request carries a blank confirmation_token and a database record has a blank token, though there is no scenario within Devise where such records would exist. Red Hat/NVDOSV/Nessus attest to the s...
CVE-2013-0233
CVE-2013-0233 concerns the Devise gem for Ruby. Affected versions (2.2.x before 2.2.3, 2.1.x before 2.1.3, 2.0.x before 2.0.5, and 1.5.x before 1.5.4) may mishandle type conversion during database queries when used with certain databases, potentially allowing remote attackers to obtain incorrect ...
CVE-2019-5421
CVE-2019-5421 affects Plataformatec Devise up to version 4.5.0 (and earlier) where the lockable module, specifically Devise::Models::Lockable,#increment_failed_attempts, contains a CWE-367 race condition. This can allow multiple concurrent requests to bypass blocking of brute-force attempts, with...