Design/Logic Flaw

Devise-Two-Factor does not throttle or otherwise restrict login attempts at the server by default. When combined with the Time-based One Time Password algorithm's TOTP inherent entropy limitations, it's possible for an attacker to bypass the 2FA mechanism through brute-force attacks...

CVE-2024-0227

Devise-Two-Factor is vulnerable to brute-force attacks due to no throttling of login attempts by default, allowing an attacker to test possible TOTP codes if username/password are compromised. Documents from RubySec and GitHub advisories describe an attacker bypassing 2FA by brute-forcing TOTP, w...

PT-2024-15397 · Unknown · Devise-Two-Factor

Name of the Vulnerable Software and Affected Versions: Devise-Two-Factor affected versions not specified Description: The issue concerns Devise-Two-Factor not throttling or restricting login attempts at the server by default. When combined with the Time-based One Time Password algorithm's TOTP...

Number withdrawn

Devise-Two-Factor is a minimalist extension to Devise. It is used to provide support for two-factor authentication through the TOTP scheme. This CVE number has been withdrawn...

SUSE CVE-2015-8314

The Devise gem before 3.5.4 for Ruby mishandles Remember Me cookies for sessions, which may allow an adversary to obtain unauthorized persistent application access...

CVE-2015-8314

The Devise gem before 3.5.4 for Ruby mishandles Remember Me cookies for sessions, which may allow an adversary to obtain unauthorized persistent application access...

CVE-2015-8314

The Devise gem before 3.5.4 for Ruby mishandles Remember Me cookies for sessions, which may allow an adversary to obtain unauthorized persistent application access...

DEBIAN-CVE-2015-8314

The Devise gem before 3.5.4 for Ruby mishandles Remember Me cookies for sessions, which may allow an adversary to obtain unauthorized persistent application access...

Design/Logic Flaw

The Devise gem before 3.5.4 for Ruby mishandles Remember Me cookies for sessions, which may allow an adversary to obtain unauthorized persistent application access...

CVE-2015-8314

The Devise gem before 3.5.4 for Ruby mishandles Remember Me cookies for sessions, which may allow an adversary to obtain unauthorized persistent application access...

Devise Security Breach

Devise is a flexible Warden-based authentication solution for Rails. A security vulnerability exists in versions prior to Devise 3.5.4 that stems from incorrectly disposing of a session cookie, which could allow an attacker to gain unauthorized access to a persistent application...

CVE-2015-8314

The Devise gem before 3.5.4 for Ruby mishandles Remember Me cookies for sessions, which may allow an adversary to obtain unauthorized persistent application access...

CVE-2015-8314

CVE-2015-8314 affects the Devise gem for Ruby prior to 3.5.4, where the Remember Me cookie handling is flawed. This flaw may allow an attacker to obtain unauthorized persistent access to an application by leveraging the compromised cookie. The issue is reported across multiple sources (Red Hat, D...

SUSE CVE-2013-0233

Devise gem 2.2.x before 2.2.3, 2.1.x before 2.1.3, 2.0.x before 2.0.5, and 1.5.x before 1.5.4 for Ruby, when using certain databases, does not properly perform type conversion when performing database queries, which might allow remote attackers to cause incorrect results to be returned and bypass...

GHSA-746G-3GFP-HFHW Devise Gem for Ruby Unauthorized Access Using "Remember Me" Cookie

Devise version before 3.5.4 uses cookies to implement a "Remember me" functionality. However, it generates the same cookie for all devices. If an attacker manages to steal a remember me cookie and the user does not change the password frequently, the cookie can be used to gain access to the...

Devise Gem for Ruby Unauthorized Access Using "Remember Me" Cookie

Devise version before 3.5.4 uses cookies to implement a "Remember me" functionality. However, it generates the same cookie for all devices. If an attacker manages to steal a remember me cookie and the user does not change the password frequently, the cookie can be used to gain access to the...

PT-2023-10322 · Devise · Devise

Name of the Vulnerable Software and Affected Versions: Devise versions prior to 3.5.4 Description: The issue concerns the mishandling of Remember Me cookies for sessions, potentially allowing an adversary to gain unauthorized persistent application access. Specifically, the Devise gem generates t...

GHSA-MVQR-R76C-WM5F Devise Token Auth vulnerable to Cross-site Scripting

An issue was discovered in Devise Token Auth through 1.1.2. The omniauth failure endpoint is vulnerable to Reflected Cross Site Scripting XSS through the message parameter. Unauthenticated attackers can craft a URL that executes a malicious JavaScript payload in the victim's browser. This affects...

Devise Token Auth vulnerable to Cross-site Scripting

An issue was discovered in Devise Token Auth through 1.1.2. The omniauth failure endpoint is vulnerable to Reflected Cross Site Scripting XSS through the message parameter. Unauthenticated attackers can craft a URL that executes a malicious JavaScript payload in the victim's browser. This affects...

Devise Token Auth vulnerable to Cross-site Scripting

An issue was discovered in Devise Token Auth through 1.1.2. The omniauth failure endpoint is vulnerable to Reflected Cross Site Scripting XSS through the message parameter. Unauthenticated attackers can craft a URL that executes a malicious JavaScript payload in the victim's browser. This affects...