Lucene search

[email protected]CVE-2013-4562

HistoryMay 13, 2014 - 3:55 p.m.

CVE-2013-4562

2014-05-1315:55:00

CWE-352

[email protected]

web.nvd.nist.gov

ominauth

facebook

gem

csrf

security

vulnerability

session parameter

nvd

cve-2013-4562

7 High

AI Score

Confidence

Low

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.008 Low

EPSS

Percentile

81.5%

JSON

The omniauth-facebook gem 1.4.1 before 1.5.0 does not properly store the session parameter, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via the state parameter.

CPENameOperatorVersion
madeofcode:omniauth-facebookmadeofcode omniauth-facebookeq1.4.1

CPE	Name	Operator	Version
madeofcode:omniauth-facebook	madeofcode omniauth-facebook	eq	1.4.1

References

osvdb.org/ref/99/omniauth-facebook_gem.txt

seclists.org/oss-sec/2013/q4/264

seclists.org/oss-sec/2013/q4/267

www.osvdb.org/99693

github.com/mkdynamic/omniauth-facebook/commit/ccfcc26fe7e34acbd75ad4a095fd01ce5ff48ee7

groups.google.com/d/msg/ruby-security-ann/-tJHNlTiPh4/9SJxdEWLIawJ

7 High

AI Score

Confidence

Low

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.008 Low

EPSS

Percentile

81.5%

JSON

Related for CVE-2013-4562

prion1 cvelist1 osv1 debiancve1 github1