Heartcombo Devise vulnerabilities
3 known vulnerabilities affecting heartcombo/devise.
Total CVEs
3
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH1MEDIUM2
Vulnerabilities
Page 1 of 1
CVE-2015-8314P3HIGHCVSS 7.5fixed in 3.5.42023-12-12
CVE-2015-8314 [HIGH] CWE-312 CVE-2015-8314: The Devise gem before 3.5.4 for Ruby mishandles Remember Me cookies for sessions, which may allow an
The Devise gem before 3.5.4 for Ruby mishandles Remember Me cookies for sessions, which may allow an adversary to obtain unauthorized persistent application access.
nvd
CVE-2026-32700P4MEDIUMCVSS 5.3fixed in 5.0.32026-03-18
CVE-2026-32700 [MEDIUM] CWE-362 CVE-2026-32700: Devise is an authentication solution for Rails based on Warden. Prior to version 5.0.3, a race condi
Devise is an authentication solution for Rails based on Warden. Prior to version 5.0.3, a race condition in Devise's Confirmable module allows an attacker to confirm an email address they do not own. This affects any Devise application using the `reconfirmable` option (the default when using Confirmable with email changes). By sending two concurrent
nvd
CVE-2026-40295P4MEDIUMCVSS 6.1fixed in 5.0.42026-05-22
CVE-2026-40295 [MEDIUM] CWE-601 CVE-2026-40295: Devise is an authentication solution for Rails based on Warden. In versions 5.0.3 and below, when th
Devise is an authentication solution for Rails based on Warden. In versions 5.0.3 and below, when the Timeoutable module is enabled in Devise, the FailureApp#redirect_url method returns request.referrer — the HTTP Referer header, which is attacker-controllable — without validation for any non-GET request that results in a session timeout. An attacke
cvelistv5nvd