RubySec

Providing security resources for the Ruby community

CVE-2016-3098 (administrate): Cross-site request forgery (CSRF) vulnerability in administrate gem

ADVISORIES

GEM

administrate

PATCHED VERSIONS

  • >= 0.1.5

DESCRIPTION

Administrate::ApplicationController actions didn’t have CSRF protection. Remote attackers can hijack user’s sessions and use any functionality that administrate exposes on their behalf.