Rubysec

Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at rubysec.com

Advisory Archive

Back

---
gem: marginalia
date: 2019-07-26
url: https://github.com/basecamp/marginalia/pull/73
cve: 2019-1010191
title: SQL injection vulnerability via Marginalia::Comment
description: "The 'marginalia' gem is affected by a SQL Injection vulnerability. All
  SQL \nqueries are affected when a user controller argument is added as a component.\n\nThis
  affects users that add a component that is user controller, for instance\na parameter
  or a header.\n\nThe issue is resolved in version 1.6.\n"
cvss_v3: '9.8'
patched_versions:
- ">= 1.6"