CVE-2015-4619 (spina): Cross-site request forgery (CSRF) vulnerability in Spina gem

Cross-site request forgery (CSRF) vulnerability in Spina gem

Published: June 16, 2015

SECURITY IDENTIFIERS

CVE: CVE-2015-4619 (NVD)
GHSA: GHSA-2hxv-mx8x-mcj9
Vendor Advisory: http://www.openwall.com/lists/oss-security/2015/06/16/11

GEM

spina

SEVERITY

CVSS v3.x: 8.8 (High)

PATCHED VERSIONS

>= 0.6.29

DESCRIPTION

"Spina::ApplicationController actions didn't have CSRF protection. This causes a CSRF vulnerability across the entire engine which includes administrative functionality such as creating users, changing passwords, and media management."

https://sca.analysiscenter.veracode.com/vulnerability-database/security/cross-site-request-forgery-csrf/ruby/sid-1686/summary
https://github.com/rubysec/ruby-advisory-db/issues/238

RubySec