Updated advisory posts against rubysec/ruby-advisory-db@722d9d9

Author: jasnow

advisories/_posts/2026-03-16-CVE-2026-32700.md

@@ -0,0 +1,69 @@
+---
+layout: advisory
+title: 'CVE-2026-32700 (devise): Confirmable "change email" race condition permits
+  user to confirm email they have no access to'
+comments: false
+categories:
+- devise
+advisory:
+  gem: devise
+  cve: 2026-32700
+  ghsa: 57hq-95w6-v4fc
+  url: https://github.com/heartcombo/devise/security/advisories/GHSA-57hq-95w6-v4fc
+  title: Confirmable "change email" race condition permits user to confirm email they
+    have no access to
+  date: 2026-03-16
+  description: |
+    ## Impact
+
+    A race condition in Devise's Confirmable module allows an attacker
+    to confirm an email address they do not own. This affects any Devise
+    application using the reconfirmable option (the default when using
+    Confirmable with email changes).
+
+    By sending two concurrent email change requests, an attacker can
+    desynchronize the confirmation_token and unconfirmed_email fields.
+    The confirmation token is sent to an email the attacker controls,
+    but the unconfirmed_email in the database points to a victim's
+    email address. When the attacker uses the token, the victim's email
+    is confirmed on the attacker's account.
+
+    ## Patch
+
+    This is patched in Devise v5.0.3. Users should upgrade as soon as possible.
+
+    ## Workaround
+
+    Applications can override this specific method from Devise models
+    to force unconfirmed_email to be persisted when unchanged:
+    (assuming your model is User)
+
+    ```
+    class User < ApplicationRecord
+      protected
+
+      def postpone_email_change_until_confirmation_and_regenerate_confirmation_token
+        unconfirmed_email_will_change!
+        super
+      end
+    end
+    ```
+
+    Note: Mongoid does not seem to respect that will_change! should
+    force the attribute to be persisted, even if it did not really
+    change, so you might have to implement a workaround similar to
+    Devise by setting changed_attributes["unconfirmed_email"] = nil as well.
+  patched_versions:
+  - ">= 5.0.3"
+  related:
+    url:
+    - https://about.gitlab.com/releases/2023/01/09/security-release-gitlab-15-7-2-released
+    - https://github.com/heartcombo/devise/pull/5784
+    - https://github.com/heartcombo/devise/issues/5783
+    - https://portswigger.net/research/smashing-the-state-machine
+    - https://groups.google.com/g/heartcombo/c/ieiLJhG4EGE/m/PNlIQv54AAAJ
+    - https://groups.google.com/g/heartcombo/c/o9mtkcfvt_g/m/SABX6rp8AgAJ
+    - https://groups.google.com/g/heartcombo/c/XDII89RV6Ak/m/AJMOyayNAgAJ
+    - https://groups.google.com/g/heartcombo/c/TWge7vKELhc/m/gRTrgKz4CQAJ
+    - https://github.com/heartcombo/devise/security/advisories/GHSA-57hq-95w6-v4fc
+---

advisories/_posts/2026-03-17-CVE-2026-4324.md

@@ -0,0 +1,35 @@
+---
+layout: advisory
+title: 'CVE-2026-4324 (katello): Katello - Denial of Service and potential information
+  disclosure via SQL injection'''
+comments: false
+categories:
+- katello
+advisory:
+  gem: katello
+  cve: 2026-4324
+  ghsa: fwj4-6wgp-mpxm
+  url: https://access.redhat.com/security/cve/CVE-2026-4324
+  title: Katello - Denial of Service and potential information disclosure via SQL
+    injection'
+  date: 2026-03-17
+  description: |
+    A flaw was found in the Katello plugin for Red Hat Satellite. This
+    vulnerability, caused by improper sanitization of user-provided
+    input, allows a remote attacker to inject arbitrary SQL commands
+    into the sort_by parameter of the /api/hosts/bootc_images API
+    endpoint. This can lead to a Denial of Service (DoS) by triggering
+    database errors, and potentially enable Boolean-based Blind SQL
+    injection, which could allow an attacker to extract sensitive
+    information from the database.
+  cvss_v3: 5.4
+  patched_versions:
+  - ">= 4.19.1"
+  related:
+    url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2026-4324
+    - https://access.redhat.com/security/cve/CVE-2026-4324
+    - https://bugzilla.redhat.com/show_bug.cgi?id=2448349
+    - https://github.com/Katello/katello/commit/a0a793b08d4f0a897ee985d79a687ad043f99e57
+    - https://github.com/advisories/GHSA-fwj4-6wgp-mpxm
+---

advisories/_posts/2026-03-18-CVE-2026-33209.md

@@ -0,0 +1,40 @@
+---
+layout: advisory
+title: 'CVE-2026-33209 (avo): Avo has a XSS vulnerability on `return_to` param'
+comments: false
+categories:
+- avo
+advisory:
+  gem: avo
+  cve: 2026-33209
+  ghsa: 762r-27w2-q22j
+  url: https://github.com/avo-hq/avo/security/advisories/GHSA-762r-27w2-q22j
+  title: Avo has a XSS vulnerability on `return_to` param
+  date: 2026-03-18
+  description: |
+    ## Description
+
+    A reflected cross-site scripting (XSS) vulnerability exists in
+    the `return_to` query parameter used in the avo interface.
+
+    An attacker can craft a malicious URL that injects arbitrary
+    JavaScript, which is executed when he clicks a dynamically
+    generated navigation button.
+
+    ## Impact
+
+    This vulnerability may allow execution of arbitrary JavaScript
+    in the context of the application.
+
+    Impact varies depending on deployment:
+    - In unauthenticated setups: exploitable via crafted links sent to users.
+    - In authenticated setups: limited to authenticated users and
+      requires interaction.
+  cvss_v4: 5.3
+  patched_versions:
+  - ">= 3.30.3"
+  related:
+    url:
+    - https://github.com/avo-hq/avo/security/advisories/GHSA-762r-27w2-q22j
+    - https://github.com/advisories/GHSA-762r-27w2-q22j
+---

advisories/_posts/2026-03-18-GHSA-46fp-8f5p-pf2m.md

@@ -0,0 +1,59 @@
+---
+layout: advisory
+title: 'GHSA-46fp-8f5p-pf2m (loofah): Improper detection of disallowed URIs by Loofah
+  `allowed_uri?`'
+comments: false
+categories:
+- loofah
+advisory:
+  gem: loofah
+  ghsa: 46fp-8f5p-pf2m
+  url: https://github.com/flavorjones/loofah/security/advisories/GHSA-46fp-8f5p-pf2m
+  title: Improper detection of disallowed URIs by Loofah `allowed_uri?`
+  date: 2026-03-18
+  description: |
+    ## Summary
+
+    `Loofah::HTML5::Scrub.allowed_uri?` does not correctly reject
+    `javascript:` URIs when the scheme is split by HTML entity-encoded
+    control characters such as `
` (carriage return), `
`
+    (line feed), or `	` (tab).
+
+    ## Details
+
+    The `allowed_uri?` method strips literal control characters before
+    decoding HTML entities. Payloads like `java
script:alert(1)`
+    survive the control character strip, then `
` is decoded to
+    a carriage return, producing `java\rscript:alert(1)`.
+
+    Note that the Loofah sanitizer's default `sanitize()` path is
+    **not affected** because Nokogiri decodes HTML entities during
+    parsing before Loofah evaluates the URI protocol. This issue only
+    affects direct callers of the `allowed_uri?` string-level helper
+    when passing HTML-encoded strings.
+
+    ## Impact
+
+    Applications that call `Loofah::HTML5::Scrub.allowed_uri?` to
+    validate user-controlled URLs and then render approved URLs into
+    `href` or other browser-interpreted URI attributes may be
+    vulnerable to cross-site scripting (XSS).
+
+    This only affects Loofah `2.25.0`.
+
+    ## Mitigation
+
+    Upgrade to Loofah >= `2.25.1`.
+
+    ## Credit
+
+    Responsibly reported by HackOne user `@smlee`.
+  unaffected_versions:
+  - "< 2.25.0"
+  patched_versions:
+  - ">= 2.25.1"
+  related:
+    url:
+    - https://github.com/flavorjones/loofah/security/advisories/GHSA-46fp-8f5p-pf2m
+    - https://github.com/advisories/GHSA-46fp-8f5p-pf2m
+---

advisories/_posts/2026-03-19-CVE-2026-33210.md

@@ -0,0 +1,42 @@
+---
+layout: advisory
+title: 'CVE-2026-33210 (json): Ruby JSON has a format string injection vulnerability'
+comments: false
+categories:
+- json
+advisory:
+  gem: json
+  cve: 2026-33210
+  ghsa: 3m6g-2423-7cp3
+  url: https://github.com/ruby/json/security/advisories/GHSA-3m6g-2423-7cp3
+  title: Ruby JSON has a format string injection vulnerability
+  date: 2026-03-19
+  description: |
+    ### Impact
+
+    A format string injection vulnerability than that lead to denial of
+    service attacks or information disclosure, when the `allow_duplicate_key:
+    false` parsing option is used to parse user supplied documents.
+
+    This option isn't the default, if you didn't opt-in to use it,
+    you are not impacted.
+
+    ### Patches
+
+    Patched in `2.19.2`.
+
+    ### Workarounds
+
+    The issue can be avoided by not using the `allow_duplicate_key: false`
+    parsing option.
+  unaffected_versions:
+  - "< 2.14.0"
+  patched_versions:
+  - "~> 2.15.2.1"
+  - "~> 2.17.1.2"
+  - ">= 2.19.2"
+  related:
+    url:
+    - https://github.com/ruby/json/security/advisories/GHSA-3m6g-2423-7cp3
+    - https://github.com/advisories/GHSA-3m6g-2423-7cp3
+---