MEDIUM🇵🇱 Wersja polska

CVE-2019-16109

CVSS 5.3v3.1pub. 2019-09-08upd. 2024-11-21

An issue was discovered in Plataformatec Devise before 4.7.1. It confirms accounts upon receiving a request with a blank confirmation_token, if a database record has a blank value in the confirmation_token column. (However, there is no scenario within Devise itself in which such database records would exist.)

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  • Plataformatec Devise

    APP
    Plataformatec
    < 4.7.1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2019-5421CRITICAL9.8ten sam produkt

Plataformatec Devise version 4.5.0 and earlier, using the lockable module contains a CWE-367 vulnerability in ...

CVE-2013-0233MEDIUM6.8ten sam produkt

Devise gem 2.2.x before 2.2.3, 2.1.x before 2.1.3, 2.0.x before 2.0.5, and 1.5.x before 1.5.4 for Ruby, when u...

CVE-2019-16676CRITICAL9.8ten sam vendor

Plataformatec Simple Form has Incorrect Access Control in file_method? in lib/simple_form/form_builder.rb, bec...