ADVISORIES

• CVE-2019-16676 (NVD)
• GHSA-r74q-gxcg-73hx
• Vendor Advisory

GEM

simple_form

SEVERITY

CVSS v3.x: 9.8 (Critical)

PATCHED VERSIONS

• >= 5.0

DESCRIPTION

Simple Form before 5.0 has Incorrect Access Control in file_method? in lib/simple_form/form_builder.rb, because a user-supplied string is invoked as a method call.

This only happens for pages that build forms based on user input.