activity_notification is vulnerable to SQL Injection
98
Critical Risk
The bulk notification endpoints open_all and destroy_all in NotificationsController forward unfiltered request parameters to the model layer, where a custom_filter value is passed directly to ActiveRecord where as a raw SQL string. An attacker can supply a crafted custom_filter to inject arbitrary SQL conditions, and two of the affected API endpoints are reachable without authentication. This allows mass modification or deletion of notification records and boolean-based blind data exfiltration. The fix restricts the controllers to a permitted set of filter keys and rejects a raw SQL string custom_filter by raising an error before it reaches the query.
You are affected if you are using a version that falls within the vulnerable range.
activity_notification is vulnerable to SQL Injection in versions 1.0.1 - 2.6.1.
Upgrade the activity_notification library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

I consent to receiving marketing communications based on Aikido’s Privacy Policy.
SOC 2Compliant
ISO 27001Compliant