Back to search
CVE-2011-0447
Published: Feb 14, 2011
Modified: Aug 6, 2024
PUBLISHED
Description
Ruby on Rails 2.1.x, 2.2.x, and 2.3.x before 2.3.11, and 3.x before 3.0.4, does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged (1) AJAX or (2) API requests that leverage "combinations of browser plugins and HTTP redirects," a related issue to CVE-2011-0696.
| Vendor | Product | Versions |
|---|---|---|
n/a | n/a | affected n/a |
References
ADV-2011-0587
vdb-entry
x_refsource_VUPEN
1025060
vdb-entry
x_refsource_SECTRACK
FEDORA-2011-2138
vendor-advisory
x_refsource_FEDORA
46291
vdb-entry
x_refsource_BID
DSA-2247
vendor-advisory
x_refsource_DEBIAN
[rubyonrails-security] 20110209 CSRF Protection Bypass in Ruby on Rails
mailing-list
x_refsource_MLIST
FEDORA-2011-4358
vendor-advisory
x_refsource_FEDORA
43274
third-party-advisory
x_refsource_SECUNIA
ADV-2011-0877
vdb-entry
x_refsource_VUPEN
FEDORA-2011-2133
vendor-advisory
x_refsource_FEDORA
43666
third-party-advisory
x_refsource_SECUNIA
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now