CVE-2015-9284

high

Description

The request phase of the OmniAuth Ruby gem (1.9.1 and earlier) is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account.

References

https://www.openwall.com/lists/oss-security/2015/05/26/11

https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284

https://github.com/omniauth/omniauth/pull/809

https://github.com/omniauth/omniauth-rails/pull/1

Details

Source: Mitre, NVD

Published: 2019-04-26

Updated: 2024-02-14

Risk Information

CVSS v2

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Severity: High