Advisories for Gem/Administrate package

In Administrate (rubygem), when sorting by attributes on a dashboard, the direction parameter was not validated before being interpolated into the SQL query. This could present a SQL injection if the attacker were able to modify the direction parameter and bypass ActiveRecord SQL protections. Whilst this does have a high-impact, to exploit this you need access to the Administrate dashboards, which we would expect to be behind authentication.

Administrate::ApplicationController actions don't have CSRF protection. Remote attackers can hijack user's sessions and use any functionality that administrate exposes on their behalf.