ADVISORIES
- OSVDB-114435
- Vendor Advisory
GEM
PATCHED VERSIONS
- ~> 2.2.5
- >= 3.0.1
DESCRIPTION
Devise contains a flaw that allows a remote, user-assisted attacker to conduct a CSRF token fixation attack. This issue is triggered as previous CSRF tokens are not properly invalidated when a new token is created. If an attacker has knowledge of said token, a specially crafted request can be made to it, allowing the attacker to conduct CSRF attacks.