RubyGems package
devise
pkg:gem/devise
Vulnerabilities (6)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-40295 | Med | 6.1 | < 5.0.4 | 5.0.4 | May 22, 2026 | Devise is an authentication solution for Rails based on Warden. In versions 5.0.3 and below, when the Timeoutable module is enabled in Devise, the FailureApp#redirect_url method returns request.referrer — the HTTP Referer header, which is attacker-controllable — without validatio | |
| CVE-2026-32700 | — | < 5.0.3 | 5.0.3 | Mar 18, 2026 | Devise is an authentication solution for Rails based on Warden. Prior to version 5.0.3, a race condition in Devise's Confirmable module allows an attacker to confirm an email address they do not own. This affects any Devise application using the `reconfirmable` option (the defaul | ||
| CVE-2015-8314 | — | < 3.5.4 | 3.5.4 | Dec 12, 2023 | The Devise gem before 3.5.4 for Ruby mishandles Remember Me cookies for sessions, which may allow an adversary to obtain unauthorized persistent application access. | ||
| CVE-2019-16109 | — | < 4.7.1 | 4.7.1 | Sep 8, 2019 | An issue was discovered in Plataformatec Devise before 4.7.1. It confirms accounts upon receiving a request with a blank confirmation_token, if a database record has a blank value in the confirmation_token column. (However, there is no scenario within Devise itself in which such | ||
| CVE-2019-5421 | — | < 4.6.0 | 4.6.0 | Apr 3, 2019 | Plataformatec Devise version 4.5.0 and earlier, using the lockable module contains a CWE-367 vulnerability in The `Devise::Models::Lockable` class, more specifically at the `#increment_failed_attempts` method. File location: lib/devise/models/lockable.rb that can result in Multip | ||
| CVE-2013-0233 | — | >= 2.2.0, < 2.2.3 | 2.2.3 | Apr 25, 2013 | Devise gem 2.2.x before 2.2.3, 2.1.x before 2.1.3, 2.0.x before 2.0.5, and 1.5.x before 1.5.4 for Ruby, when using certain databases, does not properly perform type conversion when performing database queries, which might allow remote attackers to cause incorrect results to be re |
- affected < 5.0.4fixed 5.0.4
Devise is an authentication solution for Rails based on Warden. In versions 5.0.3 and below, when the Timeoutable module is enabled in Devise, the FailureApp#redirect_url method returns request.referrer — the HTTP Referer header, which is attacker-controllable — without validatio
- CVE-2026-32700Mar 18, 2026affected < 5.0.3fixed 5.0.3
Devise is an authentication solution for Rails based on Warden. Prior to version 5.0.3, a race condition in Devise's Confirmable module allows an attacker to confirm an email address they do not own. This affects any Devise application using the `reconfirmable` option (the defaul
- CVE-2015-8314Dec 12, 2023affected < 3.5.4fixed 3.5.4
The Devise gem before 3.5.4 for Ruby mishandles Remember Me cookies for sessions, which may allow an adversary to obtain unauthorized persistent application access.
- CVE-2019-16109Sep 8, 2019affected < 4.7.1fixed 4.7.1
An issue was discovered in Plataformatec Devise before 4.7.1. It confirms accounts upon receiving a request with a blank confirmation_token, if a database record has a blank value in the confirmation_token column. (However, there is no scenario within Devise itself in which such
- CVE-2019-5421Apr 3, 2019affected < 4.6.0fixed 4.6.0
Plataformatec Devise version 4.5.0 and earlier, using the lockable module contains a CWE-367 vulnerability in The `Devise::Models::Lockable` class, more specifically at the `#increment_failed_attempts` method. File location: lib/devise/models/lockable.rb that can result in Multip
- CVE-2013-0233Apr 25, 2013affected >= 2.2.0, < 2.2.3fixed 2.2.3
Devise gem 2.2.x before 2.2.3, 2.1.x before 2.1.3, 2.0.x before 2.0.5, and 1.5.x before 1.5.4 for Ruby, when using certain databases, does not properly perform type conversion when performing database queries, which might allow remote attackers to cause incorrect results to be re