Impact
When sorting by attributes on a dashboard, the direction parameter was not validated before being interpolated into the SQL query. This could present a SQL injection if the attacker were able to modify the direction parameter and bypass ActiveRecord SQL protections.
Whilst this does have a high-impact, to exploit this you need access to the Administrate dashboards, which we'd expect to be behind authentication.
Patches
Version v0.13.0 will fix this issue.
Workarounds
There's no workaround a user can do as this is implemented inside Administrate's ordering functionality.
Attribution
Thank you to Benoit Côté-Jodoin from Shopify for reporting this.
For more information
If you have any questions or comments about this advisory:
Impact
When sorting by attributes on a dashboard, the direction parameter was not validated before being interpolated into the SQL query. This could present a SQL injection if the attacker were able to modify the
directionparameter and bypass ActiveRecord SQL protections.Whilst this does have a high-impact, to exploit this you need access to the Administrate dashboards, which we'd expect to be behind authentication.
Patches
Version
v0.13.0will fix this issue.Workarounds
There's no workaround a user can do as this is implemented inside Administrate's ordering functionality.
Attribution
Thank you to Benoit Côté-Jodoin from Shopify for reporting this.
For more information
If you have any questions or comments about this advisory: