Plataformatec Devise vulnerabilities
6 known vulnerabilities affecting plataformatec/devise.
Total CVEs
6
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH1MEDIUM4
Vulnerabilities
Page 1 of 1
CVE-2013-0233P3MEDIUMCVSS 6.8PoCv1.5.0v1.5.1+13 more2013-04-25
CVE-2013-0233 [MEDIUM] CWE-399 CVE-2013-0233: Devise gem 2.2.x before 2.2.3, 2.1.x before 2.1.3, 2.0.x before 2.0.5, and 1.5.x before 1.5.4 for Ru
Devise gem 2.2.x before 2.2.3, 2.1.x before 2.1.3, 2.0.x before 2.0.5, and 1.5.x before 1.5.4 for Ruby, when using certain databases, does not properly perform type conversion when performing database queries, which might allow remote attackers to cause incorrect results to be returned and bypass security checks via unknown vectors, as demonstrated by
ghsanvdosv
CVE-2019-5421P3CRITICALCVSS 9.8≤ 4.5.02019-04-03
CVE-2019-5421 [CRITICAL] CWE-367 CVE-2019-5421: Plataformatec Devise version 4.5.0 and earlier, using the lockable module contains a CWE-367 vulnera
Plataformatec Devise version 4.5.0 and earlier, using the lockable module contains a CWE-367 vulnerability in The `Devise::Models::Lockable` class, more specifically at the `#increment_failed_attempts` method. File location: lib/devise/models/lockable.rb that can result in Multiple concurrent requests can prevent an attacker from being blocked on br
ghsanvdosv
CVE-2015-8314P3HIGH≥ 0, < 3.5.42023-01-26
CVE-2015-8314 [HIGH] CWE-288 Devise Gem for Ruby Unauthorized Access Using "Remember Me" Cookie
Devise Gem for Ruby Unauthorized Access Using "Remember Me" Cookie
Devise version before 3.5.4 uses cookies to implement a "Remember me" functionality. However, it generates the same cookie for all devices. If an attacker manages to steal a remember me cookie and the user does not change the password frequently, the cookie can be used to gain access to the application indefinitely.
ghsaosv
CVE-2026-32700P4MEDIUM≥ 0, < 5.0.32026-03-17
CVE-2026-32700 [MEDIUM] CWE-362 Devise has a confirmable "change email" race condition permits user to confirm email they have no access to
Devise has a confirmable "change email" race condition permits user to confirm email they have no access to
### Impact
A race condition in Devise's Confirmable module allows an attacker to confirm an email address they do not own. This affects any Devise application using the `reconfirmable` option (the default when using Confirmable with email changes).
ghsaosv
CVE-2026-40295P4MEDIUM≥ 0, < 5.0.42026-05-08
CVE-2026-40295 [MEDIUM] CWE-601 Devise has an Open Redirect via Unvalidated `request.referrer` in Timeoutable Session Timeout Handler
Devise has an Open Redirect via Unvalidated `request.referrer` in Timeoutable Session Timeout Handler
## Summary
When the `Timeoutable` module is enabled in Devise, the `FailureApp#redirect_url` method returns `request.referrer` — the HTTP `Referer` header, which is attacker-controllable — without validation for any non-GET request that results in a session time
ghsa
CVE-2019-16109P4MEDIUMCVSS 5.3fixed in 4.7.12019-09-08
CVE-2019-16109 [MEDIUM] CVE-2019-16109: An issue was discovered in Plataformatec Devise before 4.7.1. It confirms accounts upon receiving a
An issue was discovered in Plataformatec Devise before 4.7.1. It confirms accounts upon receiving a request with a blank confirmation_token, if a database record has a blank value in the confirmation_token column. (However, there is no scenario within Devise itself in which such database records would exist.)
ghsanvdosv