RSS   Vulnerabilities for 'Omniauth'   RSS

2019-04-26
 
CVE-2015-9284

CWE-352
 

 
The request phase of the OmniAuth Ruby gem is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account.

 
2018-01-26
 
CVE-2017-18076

CWE-noinfo
 

 
In strategy.rb in OmniAuth before 1.3.2, the authenticity_token value is improperly protected because POST (in addition to GET) parameters are stored in the session and become available in the environment of the callback phase.

 


Copyright 2024, cxsecurity.com

 

Back to Top