pageflow 0.11.2
Pageflow vulnerable to sensitive user data extraction via Ransack query injection
high severity GHSA-wrrw-crp8-979q~> 14.5.2
, >= 15.7.1
Impact
The attack allows extracting sensitive properties of database objects that are associated with users or entries belonging to an account that the attacker has access to.
Pageflow uses the ActiveAdmin
Ruby library to provide some management features to
its users. ActiveAdmin
relies on the Ransack
library to implement search
functionality. In its default configuration, Ransack
will allow for query conditions
based on properties of associated database objects [1]. The *_starts_with
,
*_ends_with
or *_contains
search matchers [2] can then be abused to exfiltrate
sensitive string values of associated database objects via character-by-character
brute-force.
[1] https://activerecord-hackery.github.io/ransack/going-further/associations/ [2] https://activerecord-hackery.github.io/ransack/getting-started/search-matches/
Mitigation
Upgrade to version 15.7.1 or 14.5.2 of the pageflow
gem.
Pageflow vulnerable to insecure direct object reference in membership update endpoint
high severity GHSA-qcqv-38jg-2r43~> 14.5.2
, >= 15.7.1
Impact
Pageflow has a membership edit feature which allows users to edit the roles of user
memberships associated with an account that they have the manager
role to (including
their own). While the Entity
dropdown select field is greyed out in the UI, an attacker
can use tools which allow sending arbitrary HTTP request to craft a request to the
/admin/users/{user_id}/memberships/{membership_id}
endpoint containing an additional
membership[entity_id]
parameter. This parameter is honored when the membership is
updated, allowing an attacker to update the membership object associated with their own
account (with manager
role) to be associated with a different attacker-chosen account
instead. Since account_id
s are enumerable, an attacker can compromise all accounts
present on the platform.
Mitigation
Upgrade to version 15.7.1 or 14.5.2 of the pageflow
gem.
No officially reported memory leakage issues detected.
This gem version does not have any officially reported memory leaked issues.
Author did not declare license for this gem in the gemspec.
This gem version has a MIT license in the source code, however it was not declared in the gemspec file.
This gem version is available.
This gem version has not been yanked and is still available for usage.