Description
In Administrate (rubygem) before version 0.13.0, when sorting by attributes on a dashboard, the direction parameter was not validated before being interpolated into the SQL query. This could present a SQL injection if the attacker were able to modify the `direction` parameter and bypass ActiveRecord SQL protections. Whilst this does have a high-impact, to exploit this you need access to the Administrate dashboards, which we would expect to be behind authentication. This is patched in wersion 0.13.0.
Scores
CVSS v3
7.7
EPSS
0.0019
EPSS Percentile
40.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
Details
CWE
CWE-943
CWE-89
Status
published
Products (2)
rubygems/administrate
0 - 0.13.0RubyGems
thoughtbot/administrate
< 0.13.0
Published
Mar 13, 2020
Tracked Since
Feb 18, 2026