Cross-Site Request Forgery (CSRF) in trestle-auth

trestle-auth is an authentication plugin for the Trestle admin framework. A vulnerability in trestle-auth versions 0.4.0 and 0.4.1 allows an attacker to create a form that will bypass Rails' built-in CSRF protection when submitted by a victim with a trestle-auth admin session. This potentially allows an attacker to alter protected data, including admin account credentials. The vulnerability has been fixed in trestle-auth 0.4.2 released to RubyGems.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

跨站请求伪造(CSRF)

Sam Pohlenz trestle-auth 跨站请求伪造漏洞

Sam Pohlenz trestle-auth是Sam Pohlenz开源的一个应用软件。一个身份验证插件。 Trestle-auth 0.4.0版本和0.4.1版本存在跨站请求伪造漏洞，该漏洞会使攻击者更改用户的数据，包括管理帐户凭据。

N/A

N/A