6.8

CVE-2008-7248

Exploit
Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify tokens for requests with certain content types, which allows remote attackers to bypass cross-site request forgery (CSRF) protection for requests to applications that rely on this protection, as demonstrated using text/plain.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
RubyonrailsRails Version2.1.0
RubyonrailsRails Version2.1.1
RubyonrailsRails Version2.1.2
RubyonrailsRails Version2.2.0
RubyonrailsRails Version2.2.1
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 8.08% 0.941
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.8 8.6 6.4
AV:N/AC:M/Au:N/C:P/I:P/A:P
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html
http://secunia.com/advisories/38915
http://secunia.com/advisories/36600
Vendor Advisory
http://www.vupen.com/english/advisories/2009/2544
Vendor Advisory
http://groups.google.com/group/rubyonrails-security/browse_thread/thread/d741ee286e36e301?hl=en
http://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup/
http://weblog.rubyonrails.org/2008/11/18/potential-circumvention-of-csrf-protection-in-rails-2-1
http://www.openwall.com/lists/oss-security/2009/11/28/1
http://www.openwall.com/lists/oss-security/2009/12/02/2
http://www.rorsecurity.info/journal/2008/11/19/circumvent-rails-csrf-protection.html
Exploit