See on RubyGems

publify_core 9.0.1

13 security vulnerabilities found in version 9.0.1

Publify Improper Input Validation vulnerability

critical severity CVE-2023-0299
critical severity CVE-2023-0299
Patched versions: >= 9.2.10

Improper Input Validation in GitHub repository publify/publify prior to 9.2.10.

Integer overflow in publify_core

critical severity CVE-2022-1812
critical severity CVE-2022-1812
Patched versions: >= 9.2.10

Integer Overflow or Wraparound in GitHub repository publify/publify prior to 9.2.10 due to an unlimited length user name field.

Cross site scripting in publify

high severity CVE-2022-1811
high severity CVE-2022-1811
Patched versions: >= 9.2.9

Unrestricted file upload allowed the attacker to manipulate the request and bypass the protection of HTML files using a text file. Stored XSS may be obtained.

Publify contains Weak Password Requirements

medium severity CVE-2023-0569
medium severity CVE-2023-0569
Patched versions: >= 9.2.10

Weak Password Requirements in GitHub repository publify/publify prior to 9.2.10.

Publify Core does not strip metadata from images

medium severity CVE-2022-2815
medium severity CVE-2022-2815
Patched versions: >= 9.2.10

Insecure Storage of Sensitive Information in GitHub repository publify/publify prior to 9.2.10.

Improper Access Control in publify

medium severity CVE-2022-1810
medium severity CVE-2022-1810
Patched versions: >= 9.2.9

A low-privileged user can modify and delete admin articles just by changing the value of the article[id] parameter prior to 9.2.9.

Article metadata exposure in publify

medium severity CVE-2022-1553
medium severity CVE-2022-1553
Patched versions: >= 9.2.8

Leaking password protected articles content due to improper access control in GitHub repository publify/publify prior to 9.2.8. Attackers can leverage this vulnerability to view the contents of any password-protected article present on the publify website, compromising confidentiality and integrity of users.

Code injection in publify

medium severity CVE-2022-0578
medium severity CVE-2022-0578
Patched versions: >= 9.2.8

Code Injection in GitHub repository publify/publify prior to 9.2.8.

Incorrect Authorization in publify

medium severity CVE-2022-0574
medium severity CVE-2022-0574
Patched versions: >= 9.2.8

Improper Access Control in GitHub repository publify/publify prior to 9.2.8. Anonymous users can't view but can leave comments on an article in draft mode.

Business Logic Errors in Publify

medium severity CVE-2022-0524
medium severity CVE-2022-0524
Patched versions: >= 9.2.7

Publify (formerly known as Typo) prior to version 9.2.7 is vulnerable to business logic errors.

Cross site scripting in publify

medium severity CVE-2021-25975
medium severity CVE-2021-25975
Patched versions: >= 9.2.5
Unaffected versions: < 8.0

In publify, versions v8.0 to v9.2.4 are vulnerable to stored XSS as a result of an unrestricted file upload. This issue allows a user with 'publisher' role to inject malicious JavaScript via the uploaded html file.

Cross site scripting in publify

medium severity CVE-2021-25974
medium severity CVE-2021-25974
Patched versions: >= 9.2.5
Unaffected versions: < 8.0

In Publify, versions v8.0 to v9.2.4 are vulnerable to stored XSS. A user with a 'publisher' role is able to inject and execute arbitrary JavaScript code while creating a page/article.

Improper Authorization in Publify

medium severity CVE-2021-25973
medium severity CVE-2021-25973
Patched versions: >= 9.2.5
Unaffected versions: < 9.0.0.pre1

In Publify, 9.0.0.pre1 to 9.2.4 are vulnerable to Improper Access Control. guest role users can self-register even when the admin does not allow. This happens due to front-end restriction only.

No officially reported memory leakage issues detected.

This gem version does not have any officially reported memory leaked issues.

No license issues detected.

This gem version has a license in the gemspec.

This gem version is available.

This gem version has not been yanked and is still available for usage.