diff --git a/CHANGELOG.md b/CHANGELOG.md
index fd0d76628..07ad0a815 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,7 @@
 - Fix nginx configuration to allow initial Let's Encrypt configuration (#92)
 - Events: open api and monitor improvement (#79)
 - Fix a bug: refund an invoice with a subscription and disabling it a the same time cause the resulting PDF to display the wrong dates
+- Fix a security issue: in development environments, web-console has a vulnerability as described in CVE-2015-3224
 - Fixed deploy instructions with docker-compose
 
 ## v2.6.0 2017 November 13
diff --git a/Gemfile b/Gemfile
index c42cd438a..6b4264297 100644
--- a/Gemfile
+++ b/Gemfile
@@ -30,7 +30,7 @@ group :development, :test do
   # gem 'byebug'
 
   # Access an IRB console on exception pages or by using <%= console %> in views
-  gem 'web-console', '~> 2.0'
+  gem 'web-console', '~> 2.1.3'
 
   # Spring speeds up development by keeping your application running in the background. Read more: https://github.com/rails/spring
   gem 'spring'
diff --git a/Gemfile.lock b/Gemfile.lock
index 04d6e12a4..82e029f29 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -70,7 +70,7 @@ GEM
       axlsx (>= 2.0.1)
       rails (>= 3.1)
     bcrypt (3.1.10)
-    binding_of_caller (0.7.2)
+    binding_of_caller (0.7.3)
       debug_inspector (>= 0.0.1)
     bootstrap-sass (3.3.4.1)
       autoprefixer-rails (>= 5.0.0.1)
@@ -138,7 +138,7 @@ GEM
     crass (1.0.2)
     daemons (1.2.4)
     database_cleaner (1.4.1)
-    debug_inspector (0.0.2)
+    debug_inspector (0.0.3)
     descendants_tracker (0.0.4)
       thread_safe (~> 0.3, >= 0.3.1)
     devise (3.4.1)
@@ -479,7 +479,7 @@ GEM
       equalizer (~> 0.0, >= 0.0.9)
     warden (1.2.3)
       rack (>= 1.0)
-    web-console (2.1.2)
+    web-console (2.1.3)
       activemodel (>= 4.0)
       binding_of_caller (>= 0.7.2)
       railties (>= 4.0)
@@ -567,7 +567,7 @@ DEPENDENCIES
   uglifier (>= 1.3.0)
   unicorn
   vcr
-  web-console (~> 2.0)
+  web-console (~> 2.1.3)
   webmock
 
 BUNDLED WITH