Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Cross-Site Request Forgery in better_errors
Vulnerability Description
better_errors is an open source replacement for the standard Rails error page with more information rich error pages. It is also usable outside of Rails in any Rack app as Rack middleware. better_errors prior to 2.8.0 did not implement CSRF protection for its internal requests. It also did not enforce the correct "Content-Type" header for these requests, which allowed a cross-origin "simple request" to be made without CORS protection. These together left an application with better_errors enabled open to cross-origin attacks. As a developer tool, better_errors documentation strongly recommends addition only to the `development` bundle group, so this vulnerability should only affect development environments. Please ensure that your project limits better_errors to the `development` group (or the non-Rails equivalent). Starting with release 2.8.x, CSRF protection is enforced. It is recommended that you upgrade to the latest release, or minimally to "~> 2.8.3". There are no known workarounds to mitigate the risk of using older releases of better_errors.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
Vulnerability Type
跨站请求伪造(CSRF)
Vulnerability Title
Better Errors跨站请求伪造漏洞
Vulnerability Description
Better Errors是一个更好、更有用的错误页面替换了标准的 Rails 错误页面。 Better Errors 2.8.0之前版本存在跨站请求伪造漏洞,该漏洞源于软件没有为其内部请求实现CSRF保护。它也没有对这些请求强制执行并检查正确的“Content-Type”标头,这使得跨站的“简单请求”可以在没有CORS保护的情况下发出。这些因素共同导致应用程序容易受到跨站攻击。
CVSS Information
N/A
Vulnerability Type
N/A