pageflow 13.0.0.beta5

2 security vulnerabilities found in version 13.0.0.beta5

Pageflow vulnerable to sensitive user data extraction via Ransack query injection

high severity GHSA-wrrw-crp8-979q
high severity GHSA-wrrw-crp8-979q
Patched versions: ~> 14.5.2, >= 15.7.1

Impact

The attack allows extracting sensitive properties of database objects that are associated with users or entries belonging to an account that the attacker has access to.

Pageflow uses the ActiveAdmin Ruby library to provide some management features to its users. ActiveAdmin relies on the Ransack library to implement search functionality. In its default configuration, Ransack will allow for query conditions based on properties of associated database objects [1]. The *_starts_with, *_ends_with or *_contains search matchers [2] can then be abused to exfiltrate sensitive string values of associated database objects via character-by-character brute-force.

[1] https://activerecord-hackery.github.io/ransack/going-further/associations/ [2] https://activerecord-hackery.github.io/ransack/getting-started/search-matches/

Mitigation

Upgrade to version 15.7.1 or 14.5.2 of the pageflow gem.

Pageflow vulnerable to insecure direct object reference in membership update endpoint

high severity GHSA-qcqv-38jg-2r43
high severity GHSA-qcqv-38jg-2r43
Patched versions: ~> 14.5.2, >= 15.7.1

Impact

Pageflow has a membership edit feature which allows users to edit the roles of user memberships associated with an account that they have the manager role to (including their own). While the Entity dropdown select field is greyed out in the UI, an attacker can use tools which allow sending arbitrary HTTP request to craft a request to the /admin/users/{user_id}/memberships/{membership_id} endpoint containing an additional membership[entity_id] parameter. This parameter is honored when the membership is updated, allowing an attacker to update the membership object associated with their own account (with manager role) to be associated with a different attacker-chosen account instead. Since account_ids are enumerable, an attacker can compromise all accounts present on the platform.

Mitigation

Upgrade to version 15.7.1 or 14.5.2 of the pageflow gem.

No officially reported memory leakage issues detected.


This gem version does not have any officially reported memory leaked issues.

No license issues detected.


This gem version has a license in the gemspec.

This gem version is available.


This gem version has not been yanked and is still available for usage.