GHSA-24fg-p96v-hxh8

Source

https://github.com/advisories/GHSA-24fg-p96v-hxh8

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-24fg-p96v-hxh8/GHSA-24fg-p96v-hxh8.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-24fg-p96v-hxh8

Aliases

CVE-2011-0447

Published

2017-10-24T18:33:38Z

Modified

2024-12-07T05:38:37.003705Z

Summary

actionpack Cross-Site Request Forgery vulnerability

Details

Ruby on Rails 2.1.x, 2.2.x, and 2.3.x before 2.3.11, and 3.x before 3.0.4, does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged (1) AJAX or (2) API requests that leverage "combinations of browser plugins and HTTP redirects," a related issue to CVE-2011-0696.

Database specific

{
    "nvd_published_at": "2011-02-14T21:00:03Z",
    "cwe_ids": [
        "CWE-352"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T20:51:22Z"
}

References

Affected packages

RubyGems / actionpack

Package

Name: actionpack
Purl: pkg:gem/actionpack

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.1.0

Fixed

2.3.11

Affected versions

2.*

2.1.0

2.1.1

2.1.2

2.2.2

2.2.3

2.3.2

2.3.3

2.3.4

2.3.5

2.3.6

2.3.7

2.3.8.pre1

2.3.8

2.3.9.pre

2.3.9

2.3.10

RubyGems / actionpack

Package

Name: actionpack
Purl: pkg:gem/actionpack

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0

Fixed

3.0.4

Affected versions

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4.rc1