Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2016-3098: Cross-site request forgery (CSRF) vulnerability in administrate gem

Cross-site request forgery (CSRF) vulnerability in administrate 0.1.4 and earlier allows remote attackers to hijack the user’s OAuth autorization code.

CVE
#csrf#vulnerability#git#oauth#auth#ruby

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

oss-sec mailing list archives

From: Tute Costa <tute () thoughtbot com>
Date: Fri, 1 Apr 2016 13:42:37 -0400

Cross-site request forgery (CSRF) vulnerability in administrate 0.1.4 and earlier allows remote attackers to hijack the user’s OAuth autorization code.

Versions Affected: 0.1.4 and below Fixed Versions: 0.1.5

Impact

`Administrate::ApplicationController` actions didn’t have CSRF protection. Remote attackers can hijack user’s sessions and use any functionality that administrate exposes on their behalf.

Releases

The 0.1.5 release is available at https://rubygems.org/gems/administrate and https://github.com/thoughtbot/administrate.

Upgrade Process

Upgrade administrate version at least to 0.1.5.

Workarounds

You can reopen Administrate’s `ApplicationController` to add CSRF protection to your application:

```ruby module Administrate class ApplicationController < ActionController::Base protect_from_forgery with: :exception end end ```

Credits

Thanks to Jason Yeo of SRC:CLR for finding and reporting this vulnerability.

Current thread:

  • Cross-site request forgery (CSRF) vulnerability in administrate gem Tute Costa (Apr 01)

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907