In Administrate (rubygem) before version 0.13.0, when sorting by attributes on a dashboard, the direction parameter was not validated before being interpolated into the SQL query. This could present a SQL injection if the attacker were able to modify the `direction` parameter and bypass ActiveRecord SQL protections. Whilst this does have a high-impact, to exploit this you need access to the Administrate dashboards, which we would expect to be behind authentication. This is patched in wersion 0.13.0.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2020-03-13T21:05:15
Updated: 2024-08-04T08:22:09.077Z
Reserved: 2020-01-02T00:00:00
Link: CVE-2020-5257
Vulnrichment
No data.
NVD
Status : Analyzed
Published: 2020-03-13T21:15:12.190
Modified: 2020-03-18T16:05:25.407
Link: CVE-2020-5257
Redhat
No data.