rails_admin ruby gem <v1.1.1 is vulnerable to cross-site request forgery (CSRF) attacks. Non-GET methods were not validating CSRF tokens and, as a result, an attacker could hypothetically gain access to the application administrative endpoints exposed by the gem.
References
Link | Resource |
---|---|
https://github.com/sferik/rails_admin/commit/b13e879eb93b661204e9fb5e55f7afa4f397537a | Patch Third Party Advisory |
https://www.sourceclear.com/blog/Rails_admin-Vulnerability-Disclosure/ | Exploit Patch Third Party Advisory |
https://www.sourceclear.com/registry/security/cross-site-request-forgery-csrf-/ruby/sid-3173 | Exploit Patch Third Party Advisory |
Configurations
History
No history.
Information
Published : 2018-07-05 16:29
Updated : 2024-02-28 16:25
NVD link : CVE-2016-10522
Mitre link : CVE-2016-10522
CVE.ORG link : CVE-2016-10522
JSON object : View
Products Affected
rails_admin_project
- rails_admin
CWE
CWE-352
Cross-Site Request Forgery (CSRF)