← Back

Plataformatec

plataformatec

4 CVEs • 2 products

Products (2)

Click to collapse
Toggle
Devise
devise
3 CVEs
Simple Form
simple_form
1 CVE

CVEs (4)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
CVE-2019-16676
1Plataformatec
1Simple Form
Nov 21, 2024
Sep 30, 2019
N/A· v4
9.8 CRITICAL· v3
7.5 HIGH· v2
Plataformatec Simple Form has Incorrect Access Control in file_method? in lib/simple_form/form_builder.rb, because a user-supplied string is invoked as a method call.
CVE-2019-16109
1Plataformatec
1Devise
Nov 21, 2024
Sep 8, 2019
N/A· v4
5.3 MEDIUM· v3
5.0 MEDIUM· v2
An issue was discovered in Plataformatec Devise before 4.7.1. It confirms accounts upon receiving a request with a blank confirmation_token, if a database record has a blank value in the confirmation_token column. (Howev...Show more
An issue was discovered in Plataformatec Devise before 4.7.1. It confirms accounts upon receiving a request with a blank confirmation_token, if a database record has a blank value in the confirmation_token column. (However, there is no scenario within Devise itself in which such database records would exist.)Show less
CVE-2019-5421
1Plataformatec
1Devise
Nov 21, 2024
Apr 3, 2019
N/A· v4
9.8 CRITICAL· v3
7.5 HIGH· v2
Plataformatec Devise version 4.5.0 and earlier, using the lockable module contains a CWE-367 vulnerability in The `Devise::Models::Lockable` class, more specifically at the `#increment_failed_attempts` method. File locat...Show more
Plataformatec Devise version 4.5.0 and earlier, using the lockable module contains a CWE-367 vulnerability in The `Devise::Models::Lockable` class, more specifically at the `#increment_failed_attempts` method. File location: lib/devise/models/lockable.rb that can result in Multiple concurrent requests can prevent an attacker from being blocked on brute force attacks. This attack appear to be exploitable via Network connectivity - brute force attacks. This vulnerability appears to have been fixed in 4.6.0 and later.Show less
CVE-2013-0233
2Opensuse
Plataformatec
2Devise
Opensuse
Apr 29, 2026
Apr 25, 2013
N/A· v4
N/A· v3
6.8 MEDIUM· v2
Devise gem 2.2.x before 2.2.3, 2.1.x before 2.1.3, 2.0.x before 2.0.5, and 1.5.x before 1.5.4 for Ruby, when using certain databases, does not properly perform type conversion when performing database queries, which migh...Show more
Devise gem 2.2.x before 2.2.3, 2.1.x before 2.1.3, 2.0.x before 2.0.5, and 1.5.x before 1.5.4 for Ruby, when using certain databases, does not properly perform type conversion when performing database queries, which might allow remote attackers to cause incorrect results to be returned and bypass security checks via unknown vectors, as demonstrated by resetting passwords of arbitrary accounts.Show less