RubySec

Providing security resources for the Ruby community

CVE-2013-4562 (omniauth-facebook): omniauth-facebook Gem for Ruby Unspecified CSRF

ADVISORIES

GEM

omniauth-facebook

SEVERITY

CVSS v2: 6.8

UNAFFECTED VERSIONS

  • <= 1.4.0

PATCHED VERSIONS

  • >= 1.5.0

DESCRIPTION

omniauth-facebook Gem for Ruby contains a flaw as HTTP requests do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a Cross-Site Request Forgery (CSRF / XSRF) attack causing the victim to perform an unspecified action.