3 matches found
CVE-2021-28680
The devisemasquerade gem before 1.3 allows certain attacks when a password's salt is unknown. An application that uses this gem to let administrators masquerade/impersonate users loses one layer of security protection compared to a situation where Devise without this extension is used. If the...
CVE-2021-28680
The devisemasquerade gem before 1.3 allows certain attacks when a password's salt is unknown. An application that uses this gem to let administrators masquerade/impersonate users loses one layer of security protection compared to a situation where Devise without this extension is used. If the...
CVE-2021-28680
CVE-2021-28680 concerns the devise_masquerade gem prior to 1.3. The vulnerability allows an attacker to impersonate a target user by manipulating the session cookie and choosing the destination user, without needing that user’s password salt. This weakens a masquerading feature in deployments tha...