Facets

How secure are your Ruby projects? Scan Gemfile.lock for vulnerabilities, take action, and ship secure apps!


Latest Gem Vulnerabilities

CVE-2020-16254 in chartkick
Moderate

Chartkick is vulnerable to CSS injection if user input is passed to the width or height option. <%= line_chart data, width: params[:width], height: params[:height] %> An attacker can set additional CSS properties, like: <%= line_chart data, width: "100%; background-image: url('http://example.com/image.png')" %>
Read more →

Published 3 months ago
CVE-2020-15109 in solidus_api
Moderate

### Impact This vulnerability allows a malicious customer to craft request data with parameters that allow changing the address of the current order without changing the shipment costs associated with the new shipment. All stores with at least two shipping zones and different costs of shipment per zone are impacted. E.g. 1. Store...
Read more →

Published 3 months ago
CVE-2020-16253 in pghero
Severe

The PgHero dashboard is vulnerable to CSRF with non-session based authentication methods. ## Impact The PgHero dashboard is vulnerable to cross-site request forgery (CSRF). This affects the Docker image, Linux packages, and in specific cases, the Ruby gem. The Ruby gem is vulnerable with non-session based authentication methods like basic...
Read more →

Published 3 months ago
CVE-2020-16252 in field_test
Moderate

The Field Test dashboard is vulnerable to CSRF with non-session based authentication methods. ## Impact The Field Test dashboard is vulnerable to CSRF with non-session based authentication methods, like basic authentication. Session-based authentication methods (like Devise's default authentication) are not affected. A CSRF attack works...
Read more →

Published 3 months ago
CVE-2020-15134 in faye
Critical

Faye uses [em-http-request][6] and [faye-websocket][10] in the Ruby version of its client. Those libraries both use the [`EM::Connection#start_tls`][1] method in [EventMachine][2] to implement the TLS handshake whenever a `wss:` URL is used for the connection. This method does not implement certificate verification by default, meaning that...
Read more →

Published 3 months ago

Vulnerabilities in the Past 12 Months

Vulnerabilities
Nov 3
Dec 3
Jan 3
Feb 3
Mar 5
Apr 2
May 13
Jun 5
Jul 2
Aug 4
Sep 3
Oct 2

Vulnerabilities in the Past 6 Years

Vulnerabilities
2015 46
2016 34
2017 35
2018 36
2019 47
2020 42