Skip to content

Sort order SQL injection in Administrate

high severity CVE-2020-5257 published Mar 13, 2020 • updated Mar 13, 2020
Repository
@thoughtbot thoughtbot/administrate
Packages Affected versions Patched versions
administrate (RubyGems) < 0.13.0 0.13.0

In Administrate (rubygem) before version 0.13.0, when sorting by attributes on a dashboard,
the direction parameter was not validated before being interpolated into the SQL query.
This could present a SQL injection if the attacker were able to modify the direction parameter and bypass ActiveRecord SQL protections.

Whilst this does have a high-impact, to exploit this you need access to the Administrate dashboards, which we would expect to be behind authentication.

This is patched in wersion 0.13.0.

References

@nickcharlton nickcharlton published the maintainer security advisory Mar 13, 2020
You can’t perform that action at this time.