Rubysec

Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at rubysec.com

Advisory Archive

Back

---
gem: simple_form
date: 2019-09-27
url: https://github.com/plataformatec/simple_form/security/advisories/GHSA-r74q-gxcg-73hx
cve: 2019-16676
title: simple_form Gem for Ruby Incorrect Access Control for forms based on user input
description: |
  Simple Form before 5.0 has Incorrect Access Control in `file_method?` in `lib/simple_form/form_builder.rb`,
  because a user-supplied string is invoked as a method call.

  This only happens for pages that build forms based on user input.
patched_versions:
- ">= 5.0"