Rubyonrails : Security Vulnerabilities, CVEs, (CSRF)
A CSRF vulnerability exists in rails <= 6.0.3 rails-ujs module that could allow attackers to send CSRF tokens to wrong domains.
Max CVSS
6.5
EPSS Score
0.31%
Published
2020-06-19
Updated
2021-10-21
A CSRF forgery vulnerability exists in rails < 5.2.5, rails < 6.0.4 that makes it possible for an attacker to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token.
Max CVSS
4.3
EPSS Score
0.31%
Published
2020-07-02
Updated
2020-11-20
jquery_ujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 and rails.js in jquery-ujs before 1.0.4, as used with Ruby on Rails 3.x and 4.x, allow remote attackers to bypass the Same Origin Policy, and trigger transmission of a CSRF token to a different-domain web server, via a leading space character in a URL within an attribute value.
Max CVSS
5.0
EPSS Score
0.62%
Published
2015-07-26
Updated
2018-10-30
Ruby on Rails 2.1.x, 2.2.x, and 2.3.x before 2.3.11, and 3.x before 3.0.4, does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged (1) AJAX or (2) API requests that leverage "combinations of browser plugins and HTTP redirects," a related issue to CVE-2011-0696.
Max CVSS
6.8
EPSS Score
0.38%
Published
2011-02-14
Updated
2019-08-08
Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify tokens for requests with certain content types, which allows remote attackers to bypass cross-site request forgery (CSRF) protection for requests to applications that rely on this protection, as demonstrated using text/plain.
Max CVSS
6.8
EPSS Score
15.49%
Published
2009-12-16
Updated
2023-02-13
CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL to the redirect_to function.
Max CVSS
5.0
EPSS Score
0.21%
Published
2008-11-21
Updated
2019-08-08
6 vulnerabilities found