Description
Plataformatec Simple Form has Incorrect Access Control in file_method? in lib/simple_form/form_builder.rb, because a user-supplied string is invoked as a method call.
References (3)
Core 3
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/plataformatec/simple_form/commits/master
Third Party Advisory x_refsource_misc
https://github.com/plataformatec/simple_form/security/advisories/GHSA-r74q-gxcg-73hx
Exploit, Vendor Advisory x_refsource_confirm
http://blog.plataformatec.com.br/2019/09/incorrect-access-control-in-simple-form-cve-2019-16676/
Scores
CVSS v3
9.8
EPSS
0.0083
EPSS Percentile
74.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-20
Status
published
Products (2)
plataformatec/simple_form
< 5.0
rubygems/simple_form
0 - 5.0.0RubyGems
Published
Sep 30, 2019
Tracked Since
Feb 18, 2026