ADVISORIES

• CVE-2016-10522 (NVD)
• GHSA-pxqr-8v54-m2hj
• Vendor Advisory

GEM

rails_admin

SEVERITY

CVSS v3.x: 8.8 (High)

CVSS v2.0: 5.5 (Medium)

UNAFFECTED VERSIONS

• < 1.0.0

PATCHED VERSIONS

• >= 1.1.1

DESCRIPTION

The rails_admin gem is vulnerable to cross-site request forgery (CSRF) attacks. Due to a bug, non-GET methods were not validating CSRF tokens and, as a result, an attacker could hypothetically gain access to the application administrative endpoints exposed by the gem.

RELATED

• https://www.sourceclear.com/registry/security/cross-site-request-forgery-csrf-/ruby/sid-3173
• https://github.com/sferik/rails_admin/commit/b13e879eb93b661204e9fb5e55f7afa4f397537a