CVE-2008-7248 – actionpack

Package

Manager: gem
Name: actionpack
Vulnerable Version: >=2.1.0 <2.1.3 || >=2.2.0 <2.2.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.11409 pctl0.93318

Details

Improper Input Validation in actionpack Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify tokens for requests with certain content types, which allows remote attackers to bypass cross-site request forgery (CSRF) protection for requests to applications that rely on this protection, as demonstrated using text/plain.

Metadata

Created: 2017-10-24T18:33:38Z
Modified: 2023-05-26T16:54:58Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-8fqx-7pv4-3jwm/GHSA-8fqx-7pv4-3jwm.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-8fqx-7pv4-3jwm
Finding: F184
Auto approve: 1