Plataformatec Devise 4.4.2

CPE Details

Plataformatec Devise 4.4.2
plataformatec
devise
4.4.2
2019-05-03
17h19 +00:00
2019-05-03
17h19 +00:00
CPE NVD
Alerte pour un CPE
Stay informed of any changes for a specific CPE.
Notifications manage

CPE Name: cpe:2.3:a:plataformatec:devise:4.4.2:*:*:*:*:*:*:*

Informations

Vendor

plataformatec

Product

devise

Version

4.4.2

Related CVE

Open and find in CVE List

CVE ID Published Description Score Severity
CVE-2019-16109 2019-09-08 17h57 +00:00 An issue was discovered in Plataformatec Devise before 4.7.1. It confirms accounts upon receiving a request with a blank confirmation_token, if a database record has a blank value in the confirmation_token column. (However, there is no scenario within Devise itself in which such database records would exist.)
5.3
Medium
CVE-2019-5421 2019-04-03 12h21 +00:00 Plataformatec Devise version 4.5.0 and earlier, using the lockable module contains a CWE-367 vulnerability in The `Devise::Models::Lockable` class, more specifically at the `#increment_failed_attempts` method. File location: lib/devise/models/lockable.rb that can result in Multiple concurrent requests can prevent an attacker from being blocked on brute force attacks. This attack appear to be exploitable via Network connectivity - brute force attacks. This vulnerability appears to have been fixed in 4.6.0 and later.
9.8
Critical