CVSS v2: 6.8
- ~> 1.4.1
- >= 2.0.0
Cross-site request forgery (CSRF) vulnerability in doorkeeper 1.4.0 and earlier allows remote attackers to hijack the user’s OAuth autorization code. This vulnerability has been assigned the CVE identifier CVE-2014-8144.
Doorkeeper’s endpoints didn’t have CSRF protection. Any HTML document on the Internet can then read a user’s authorization code with arbitrary scope from any Doorkeeper-compatible Rails app you are logged in.