GHSA-cf36-985g-v73c
Suggest an improvement- Source
- https://github.com/advisories/GHSA-cf36-985g-v73c
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-cf36-985g-v73c/GHSA-cf36-985g-v73c.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-cf36-985g-v73c
- Aliases
-
- CVE-2013-4562
- Published
- 2017-10-24T18:33:37Z
- Modified
- 2024-11-30T05:38:59.133292Z
- Summary
- omniauth-facebook Cross-Site Request Forgery vulnerability
- Details
-
The omniauth-facebook gem 1.4.1 before 1.5.0 does not properly store the session parameter, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via the state parameter.
- Database specific
{ "nvd_published_at": "2014-05-13T15:55:04Z", "cwe_ids": [ "CWE-352" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:31:10Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2013-4562
- https://github.com/mkdynamic/omniauth-facebook/commit/ccfcc26fe7e34acbd75ad4a095fd01ce5ff48ee7
- https://github.com/mkdynamic/omniauth-faceboo
- https://groups.google.com/d/msg/ruby-security-ann/-tJHNlTiPh4/9SJxdEWLIawJ
- http://seclists.org/oss-sec/2013/q4/264
- http://seclists.org/oss-sec/2013/q4/267
Affected packages
RubyGems / omniauth-facebook
Package
- Name
- omniauth-facebook
- Purl
- pkg:gem/omniauth-facebook