CVE-2020-5257

Name of the Vulnerable Software and Affected Versions Administrate (rubygem) versions prior to 0.13.0

Description The issue arises when sorting by attributes on a dashboard, where the direction parameter was not validated before being interpolated into the SQL query. This could present a SQL injection if the attacker were able to modify the direction parameter and bypass ActiveRecord SQL protections. To exploit this, access to the Administrate dashboards is needed, which is typically expected to be behind authentication.

Recommendations For versions prior to 0.13.0, update to version 0.13.0 to resolve the issue. As a temporary workaround, consider restricting access to the Administrate dashboards to minimize the risk of exploitation. Additionally, ensure that the direction parameter is properly validated before being used in SQL queries to prevent SQL injection attacks.