GHSA-h8hx-2c5r-32cf

Source
https://github.com/advisories/GHSA-h8hx-2c5r-32cf
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-h8hx-2c5r-32cf/GHSA-h8hx-2c5r-32cf.json
Aliases
Published
2021-04-13T17:01:50Z
Modified
2023-11-08T04:05:33.956357Z
Details

Impact

A vulnerability in trestle-auth versions 0.4.0 and 0.4.1 allows an attacker to create a form that will bypass Rails' built-in CSRF protection when submitted by a victim with a trestle-auth admin session. This potentially allows an attacker to alter protected data, including admin account credentials.

Patches

The vulnerability has been fixed in trestle-auth 0.4.2 released to RubyGems.

For more information

If you have any questions or comments about this advisory: * Open an issue in trestle-auth * Email the maintainer at sam@sampohlenz.com

References

Affected packages

RubyGems / trestle-auth

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.4.0
Fixed
0.4.2

Affected versions

0.*

0.4.0
0.4.1