RubyGems package

activeadmin

pkg:gem/activeadmin

Vulnerabilities (3)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2024-37031	Med	6.1	< 3.2.2	3.2.2	Jun 3, 2024	The Active Admin (aka activeadmin) framework before 3.2.2 for Ruby on Rails allows stored XSS in certain situations where users can create entities (to be later edited in forms) with arbitrary names, aka a "dynamic form legends" issue. 4.0.0.beta7 is also a fixed version.
CVE-2023-50448		—	< 2.12.0	2.12.0	Dec 28, 2023	In ActiveAdmin (aka Active Admin) before 2.12.0, a concurrency issue allows a malicious actor to access potentially private data (that belongs to another user) by making CSV export requests at certain specific times.
CVE-2023-51763		—	< 3.2.0	3.2.0	Dec 24, 2023	csv_builder.rb in ActiveAdmin (aka Active Admin) before 3.2.0 allows CSV injection.

CVE-2024-37031MedJun 3, 2024
affected < 3.2.2fixed 3.2.2
The Active Admin (aka activeadmin) framework before 3.2.2 for Ruby on Rails allows stored XSS in certain situations where users can create entities (to be later edited in forms) with arbitrary names, aka a "dynamic form legends" issue. 4.0.0.beta7 is also a fixed version.
CVE-2023-50448Dec 28, 2023
affected < 2.12.0fixed 2.12.0
In ActiveAdmin (aka Active Admin) before 2.12.0, a concurrency issue allows a malicious actor to access potentially private data (that belongs to another user) by making CSV export requests at certain specific times.
CVE-2023-51763Dec 24, 2023
affected < 3.2.0fixed 3.2.0
csv_builder.rb in ActiveAdmin (aka Active Admin) before 3.2.0 allows CSV injection.