Thoughtbot
Products
4- Paperclip2 CVEsgem
- Administrate1 CVEgem
- Clearance1 CVEgem
- Cocaine1 CVEgem
Recent CVEs
5| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-0889 | Cri | 0.64 | 9.8 | 0.03 | Nov 13, 2017 | Paperclip ruby gem version 3.1.4 and later suffers from a Server-SIde Request Forgery (SSRF) vulnerability in the Paperclip::UriAdapter class. Attackers may be able to access information about internal network resources. | ||
| CVE-2021-23435 | 0.00 | — | 0.01 | Sep 12, 2021 | This affects the package clearance before 2.5.0. The vulnerability can be possible when users are able to set the value of session[:return_to]. If the value used for return_to contains multiple leading slashes (/////example.com) the user ends up being redirected to the external… | |||
| CVE-2020-5257 | 0.00 | — | 0.01 | Mar 13, 2020 | In Administrate (rubygem) before version 0.13.0, when sorting by attributes on a dashboard, the direction parameter was not validated before being interpolated into the SQL query. This could present a SQL injection if the attacker were able to modify the `direction` parameter… | |||
| CVE-2015-2963 | 0.00 | — | 0.02 | Jul 10, 2015 | The thoughtbot paperclip gem before 4.2.2 for Ruby does not consider the content-type value during media-type validation, which allows remote attackers to upload HTML documents and conduct cross-site scripting (XSS) attacks via a spoofed value, as demonstrated by image/jpeg. | |||
| CVE-2013-4457 | 0.00 | — | 0.01 | Nov 2, 2013 | The Cocaine gem 0.4.0 through 0.5.2 for Ruby allows context-dependent attackers to execute arbitrary commands via a crafted has object, related to recursive variable interpolation. |
- risk 0.64cvss 9.8epss 0.03
Paperclip ruby gem version 3.1.4 and later suffers from a Server-SIde Request Forgery (SSRF) vulnerability in the Paperclip::UriAdapter class. Attackers may be able to access information about internal network resources.
- CVE-2021-23435Sep 12, 2021risk 0.00cvss —epss 0.01
This affects the package clearance before 2.5.0. The vulnerability can be possible when users are able to set the value of session[:return_to]. If the value used for return_to contains multiple leading slashes (/////example.com) the user ends up being redirected to the external…
- CVE-2020-5257Mar 13, 2020risk 0.00cvss —epss 0.01
In Administrate (rubygem) before version 0.13.0, when sorting by attributes on a dashboard, the direction parameter was not validated before being interpolated into the SQL query. This could present a SQL injection if the attacker were able to modify the `direction` parameter…
- CVE-2015-2963Jul 10, 2015risk 0.00cvss —epss 0.02
The thoughtbot paperclip gem before 4.2.2 for Ruby does not consider the content-type value during media-type validation, which allows remote attackers to upload HTML documents and conduct cross-site scripting (XSS) attacks via a spoofed value, as demonstrated by image/jpeg.
- CVE-2013-4457Nov 2, 2013risk 0.00cvss —epss 0.01
The Cocaine gem 0.4.0 through 0.5.2 for Ruby allows context-dependent attackers to execute arbitrary commands via a crafted has object, related to recursive variable interpolation.