An issue was discovered in Plataformatec Devise before 4.7.1. It confirms accounts upon receiving a request with a blank confirmationtoken, if a database record has a blank value in the confirmationtoken column. (However, there is no scenario within Devise itself in which such database records would exist.)
{ "github_reviewed_at": "2019-09-11T22:42:42Z", "severity": "MODERATE", "nvd_published_at": "2019-09-08T20:15:10Z", "github_reviewed": true, "cwe_ids": [ "CWE-284" ] }