Name of the Vulnerable Software and Affected Versions pageflow versions prior to 14.5.2 pageflow versions prior to 15.7.1

Description The issue allows attackers to extract sensitive properties of database objects associated with users or entries belonging to an account they have access to. This is possible due to the default configuration of the Ransack library, which is used by ActiveAdmin for search functionality in pageflow. The * starts with, * ends with, or * contains search matchers can be abused to exfiltrate sensitive string values via character-by-character brute-force.

Recommendations For versions prior to 14.5.2, upgrade to version 14.5.2 of the pageflow gem. For versions prior to 15.7.1, upgrade to version 15.7.1 of the pageflow gem.