CVE-2020-15169 in actionview Moderate There is a potential Cross-Site Scripting (XSS) vulnerability in Action View's translation helpers. Views that allow the user to control the default (not found) value of the `t` and `translate` helpers could be susceptible to XSS attacks. Impact ------ When an HTML-unsafe string is passed as the default for a missing translation key...

Read more → Published ago

CVE-2020-16253 in pghero Severe The PgHero dashboard is vulnerable to CSRF with non-session based authentication methods. ## Impact The PgHero dashboard is vulnerable to cross-site request forgery (CSRF). This affects the Docker image, Linux packages, and in specific cases, the Ruby gem. The Ruby gem is vulnerable with non-session based authentication methods like basic...

Read more → Published ago

CVE-2020-16254 in chartkick Moderate Chartkick is vulnerable to CSS injection if user input is passed to the width or height option. <%= line_chart data, width: params[:width], height: params[:height] %> An attacker can set additional CSS properties, like: <%= line_chart data, width: "100%; background-image: url('http://example.com/image.png')" %>

Read more → Published ago

CVE-2020-16252 in field_test Moderate The Field Test dashboard is vulnerable to CSRF with non-session based authentication methods. ## Impact The Field Test dashboard is vulnerable to CSRF with non-session based authentication methods, like basic authentication. Session-based authentication methods (like Devise's default authentication) are not affected. A CSRF attack works...

Read more → Published ago