Early Access — Mondoo Vulnerability Intelligence is currently in preview.
In Administrate (rubygem) before version 0.13.0, when sorting by attributes on a dashboard, the direction parameter was not validated before being interpolated into the SQL query. This could present a SQL injection if the attacker were able to modify the direction parameter and bypass ActiveRecord SQL protections. Whilst this does have a high-impact, to exploit this you need access to the Administrate dashboards, which we would expect to be behind authentication. This is patched in wersion 0.13.0.
Exploitability
AV:NAC:HPR:LUI:RScope
S:CImpact
C:HI:HA:N7.7/CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:NOther