---
gem: administrate
cve: 2020-5257
ghsa: 2p5p-m353-833w
title: Sort order SQL injection via `direction` parameter in administrate
date: 2020-03-14
url: https://github.com/advisories/GHSA-2p5p-m353-833w
description: |
  In Administrate (rubygem) before version 0.13.0, when sorting by attributes
  on a dashboard, the direction parameter was not validated before being
  interpolated into the SQL query.

  This could present a SQL injection if the attacker were able to modify the
  direction parameter and bypass ActiveRecord SQL protections.

  Whilst this does have a high-impact, to exploit this you need access to the
  Administrate dashboards, which should generally be behind authentication.

patched_versions:
  - ">= 0.13.0"

related:
  url:
    - https://github.com/thoughtbot/administrate/commit/3ab838b83c5f565fba50e0c6f66fe4517f98eed3