RubySec

Providing security resources for the Ruby community

CVE-2016-10522 (rails_admin): CSRF vulnerability in rails_admin

ADVISORIES

GEM

rails_admin

SEVERITY

CVSS v2: 5.5

UNAFFECTED VERSIONS

  • < 1.0.0

PATCHED VERSIONS

  • >= 1.1.1

DESCRIPTION

The rails_admin gem is vulnerable to cross-site request forgery (CSRF) attacks. Due to a bug, non-GET methods were not validating CSRF tokens and, as a result, an attacker could hypothetically gain access to the application administrative endpoints exposed by the gem.