RubySec

Providing security resources for the Ruby community

CVE-2019-16676 (simple_form): simple_form Gem for Ruby Incorrect Access Control for forms based on user input

ADVISORIES

GEM

simple_form

SEVERITY

CVSS v3: 9.8 (Critical)

PATCHED VERSIONS

  • >= 5.0

DESCRIPTION

Simple Form before 5.0 has Incorrect Access Control in file_method? in lib/simple_form/form_builder.rb, because a user-supplied string is invoked as a method call.

This only happens for pages that build forms based on user input.