← Back

Administrate

administrate

Vendor: Thoughtbot • 2 CVEs

CVEs (2)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
CVE-2016-3098
1Thoughtbot
1Administrate
Nov 21, 2024
Aug 5, 2022
N/A· v4
5.4 MEDIUM· v3
N/A· v2
Cross-site request forgery (CSRF) vulnerability in administrate 0.1.4 and earlier allows remote attackers to hijack the user's OAuth autorization code.
CVE-2020-5257
1Thoughtbot
1Administrate
Nov 21, 2024
Mar 13, 2020
N/A· v4
8.1 HIGH· v3
5.5 MEDIUM· v2
In Administrate (rubygem) before version 0.13.0, when sorting by attributes on a dashboard, the direction parameter was not validated before being interpolated into the SQL query. This could present a SQL injection if th...Show more
In Administrate (rubygem) before version 0.13.0, when sorting by attributes on a dashboard, the direction parameter was not validated before being interpolated into the SQL query. This could present a SQL injection if the attacker were able to modify the `direction` parameter and bypass ActiveRecord SQL protections. Whilst this does have a high-impact, to exploit this you need access to the Administrate dashboards, which we would expect to be behind authentication. This is patched in wersion 0.13.0.Show less