RubySec

Providing security resources for the Ruby community

CVE-2016-10522 (rails_admin): CSRF vulnerability in rails_admin

ADVISORIES

GEM

rails_admin

SEVERITY

CVSS v3.x: 8.8 (High)

CVSS v2.0: 5.5 (Medium)

UNAFFECTED VERSIONS

  • < 1.0.0

PATCHED VERSIONS

  • >= 1.1.1

DESCRIPTION

The rails_admin gem is vulnerable to cross-site request forgery (CSRF) attacks. Due to a bug, non-GET methods were not validating CSRF tokens and, as a result, an attacker could hypothetically gain access to the application administrative endpoints exposed by the gem.

RELATED