Open reedloden opened 8 years ago
VanessaHenderson
commented
8 years ago refinerycms-core https://srcclr.com/security/cross-site-scripting-xss-through-title/ruby/s-2168 https://srcclr.com/security/cross-site-scripting-xss-through-alt/ruby/s-2169 https://srcclr.com/security/stored-cross-site-scripting-xss-title/ruby/s-2170 https://srcclr.com/security/cross-site-request-forgery-csrf/ruby/s-2171
VanessaHenderson
commented
8 years ago VanessaHenderson
commented
8 years ago admin-upmin, upmin and shoppe -- https://srcclr.com/security/cross-site-request-forgery-csrf-due-to/ruby/s-2266 devise_invitable -- https://srcclr.com/security/cross-site-request-forgery-csrf/ruby/s-2272
reedloden
commented
8 years ago 
skorth
commented
8 years ago @reedloden regarding spina ruby gem https://github.com/rubysec/ruby-advisory-db/pull/250
jasnow
commented
1 year ago Not sure https://srcclr.com is an active web site.
VanessaHenderson
commented
1 year ago You are correct, SourceClear was purchased by Veracode. The easiest way to find the links now would be to search the s-* number at https://sca.analysiscenter.veracode.com/vulnerability-database A lot of them will be privated unless you have a Veraode SCA account, otherwise it is just basic information available.
IE; Activeadmin that @reedloden posted is here: https://sca.analysiscenter.veracode.com/vulnerability-database/security/cross-site-scripting-xss-through-modal-dialog/ruby/sid-2276/summary
jasnow
commented
1 year ago @VanessaHenderson - Thanks for the education.
jasnow
commented
1 year ago h#query=type:vulnerability%20puppet
Need a list of specific "puppet" URLs.
jasnow
commented
1 year ago admin-upmin, upmin and shoppe -- https://srcclr.com/security/cross-site-request-forgery-csrf-due-to/ruby/s-2266 devise_invitable -- https://srcclr.com/security/cross-site-request-forgery-csrf/ruby/s-2272
It appears that "s-2272" for devise_invitable may have be withdrawn if this is the same advisory: https://github.com/advisories/GHSA-wj5j-xpcj-45gc
VanessaHenderson
commented
1 year ago It looks like SourceClear itself hasn't withdrawn the item, I wonder why GitHub withdrew it...
jasnow
commented
1 year ago It looks like SourceClear itself hasn't withdrawn the item, I wonder why GitHub withdrew it...
Looks like all of the non-PR #616 advisories, including s-2272, appears to need a CVE/GHSA/etc ID before it is added to ruby-advisory-db repo so time will tell.
VanessaHenderson
commented
1 year ago Ah yeah that'd probably do it. SourceClear/Veracode adds vulnerabilities that aren't necessarily assigned CVEs, basing on code fixes etc instead of solely CVE
Just a todo list I figured I should put somewhere more public... Need to add advisories for all these:
ruby_rncryptor / ruby_rncryptor_secured -- https://srcclr.com/security/timing-attacks/ruby/s-1938
spina -- https://srcclr.com/security/cross-site-request-forgery-csrf/ruby/s-1686
logstash-core -- https://srcclr.com/security/factoring-attack-rsa-export-keys-freak/ruby/s-1745 https://srcclr.com/security/man-middle-mitm-attacks/ruby/s-1798
facter -- https://srcclr.com/security/disclosure-amazon-ec2-iam-instance/ruby/s-1508 https://srcclr.com/security/elevation-privileges-untrusted-search/ruby/s-1586
kafo -- https://srcclr.com/security/world-readable-permissions-as-default/ruby/s-740
puppet -- https://srcclr.com/catalog/search#query=type:vulnerability%20puppet