Skip to content

CVE-2020-36599 (Critical), CVE-2015-9284 (High) #178

New issue
New issue
Open
Open
CVE-2020-36599 (Critical), CVE-2015-9284 (High)#178
@wimpog

Description

@wimpog
wimpog
opened on May 13, 2024

CVE-2020-36599

CRITICAL Score 9.8
lib/omniauth/failure_endpoint.rb in OmniAuth before 1.9.2 (and before 2.0) does not escape the message_key value.

CVE-2015-9284

HIGH Score 8.8
The request phase of the OmniAuth Ruby gem (1.9.1 and earlier) is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions