Lucene search

Https://gitlab.com/gitlab-org/security-products/gemnasium-dbGITLAB-8BBF25729DD383C77899D4A15BBDC458

HistoryApr 01, 2016 - 12:00 a.m.

Cross-site request forgery

2016-04-0100:00:00

https://gitlab.com/gitlab-org/security-products/gemnasium-db

gitlab.com

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

JSON

Administrate::ApplicationController actions don’t have CSRF protection. Remote attackers can hijack user’s sessions and use any functionality that administrate exposes on their behalf.

CPENameOperatorVersion
gem/administratelt0.1.5

CPE	Name	Operator	Version
	gem/administrate	lt	0.1.5

References

seclists.org/oss-sec/2016/q2/0

github.com/thoughtbot/administrate/blob/master/CHANGELOG.md#015-april-1-2016

github.com/thoughtbot/administrate/commit/be738a54b866191bf49664d8c6116587fb971759

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

JSON

Related for GITLAB-8BBF25729DD383C77899D4A15BBDC458