GHSA-wrrw-crp8-979q: 
Ruby vulnerability analysis and mitigation

A high-severity vulnerability was identified in the Pageflow Ruby gem that allows sensitive user data extraction through Ransack query injection. The vulnerability affects Pageflow versions < 14.5.2 and versions >= 15.0.0, < 15.7.1. The issue was published on September 14, 2022, and was discovered by Positive Security (GitHub Advisory).

The vulnerability stems from Pageflow's use of the ActiveAdmin Ruby library for management features, which relies on the Ransack library for search functionality. In its default configuration, Ransack allows query conditions based on properties of associated database objects. The vulnerability specifically involves the exploitation of search matchers like startswith, endswith, or *_contains, which can be manipulated to perform character-by-character brute-force attacks to extract sensitive string values from associated database objects (GitHub Advisory).

The vulnerability enables attackers to extract sensitive properties of database objects that are associated with users or entries belonging to an account that the attacker has access to (GitHub Advisory).

Users are advised to upgrade to version 15.7.1 or 14.5.2 of the pageflow gem to address this vulnerability. These versions contain the necessary security patches to prevent the Ransack query injection attack (GitHub Advisory).