Vulnerabilities (CVE)

Filtered by vendor Thoughtbot Subscribe
Filtered by product Administrate
Total 2 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2020-5257 1 Thoughtbot 1 Administrate 2024-11-21 5.5 MEDIUM 7.7 HIGH
In Administrate (rubygem) before version 0.13.0, when sorting by attributes on a dashboard, the direction parameter was not validated before being interpolated into the SQL query. This could present a SQL injection if the attacker were able to modify the `direction` parameter and bypass ActiveRecord SQL protections. Whilst this does have a high-impact, to exploit this you need access to the Administrate dashboards, which we would expect to be behind authentication. This is patched in wersion 0.13.0.
CVE-2016-3098 1 Thoughtbot 1 Administrate 2024-11-21 N/A 5.4 MEDIUM
Cross-site request forgery (CSRF) vulnerability in administrate 0.1.4 and earlier allows remote attackers to hijack the user's OAuth autorization code.