Back to search
CVE-2015-9284
Published: Apr 26, 2019
Modified: Aug 6, 2024
PUBLISHED
Description
The request phase of the OmniAuth Ruby gem (1.9.1 and earlier) is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account.
| Vendor | Product | Versions |
|---|---|---|
n/a | omniauth ruby gem | affected All versions |
Weaknesses (CWE)
References
https://github.com/omniauth/omniauth/pull/809
x_refsource_MISC
https://github.com/omniauth/omniauth-rails/pull/1
x_refsource_MISC
[oss-security] 20150526 CVE Request: CSRF vulnerability in OmniAuth request phase
mailing-list
x_refsource_MLIST
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now