Category Archives: security fix

XSS vulnerability on Simple Form

- Rafael França
- November 26, 2014
- English open source security fix simple form

There is a XSS vulnerability on Simple Form’s error options. Versions affected: >= 2.0.0 Not affected: < 2.0.0 Fixed versions: 3.1.0, 3.0.3, 2.1.2 Impact When Simple Form renders an error message it marks the text as being HTML safe, even though it may contain HTML tags. In applications where the error message can be provided … »

XSS vulnerability on Simple Form

- Rafael França
- November 29, 2013
- English security fix simple_form

There is a XSS vulnerability on Simple Form’s label, hint and error options. Fixed versions: 3.0.1, 2.1.1

E-mail enumeration in Devise in paranoid mode

- José Valim
- November 13, 2013
- devise English security fix

It has been reported that malicious users can do e-mail enumeration on sign in via timing attacks despite paranoid mode being enabled. Whenever you try to reset your password or confirm your account, Devise gives you precise information on how to proceed, if the e-mail given is valid, if the token has not expired and […]

The Ruby Rails Aggregator