Ruby on Rails 2.1.x, 2.2.x, and 2.3.x before 2.3.11, and
3.x before 3.0.4, does not properly validate HTTP requests that
contain an X-Requested-With header, which makes it easier for
remote attackers to conduct cross-site request forgery (CSRF)
attacks via forged (1) AJAX or (2) API requests that leverage
“combinations of browser plugins and HTTP redirects,”
a related issue to CVE-2011-0696.
CPE | Name | Operator | Version |
---|---|---|---|
actionpack | lt | 2.1.0 | |
actionpack | le | 2.3.10 | |
actionpack | ge | 2.4.0 | |
actionpack | lt | 3.0.4 |