GHSA-9PR6-GRF4-X2FR Omniauth allows POST parameters to be stored in session

In strategy.rb in OmniAuth before 1.3.2, the authenticitytoken value is improperly protected because POST in addition to GET parameters are stored in the session and become available in the environment of the callback phase...

CVE-2017-18076

In strategy.rb in OmniAuth before 1.3.2, the authenticitytoken value is improperly protected because POST in addition to GET parameters are stored in the session and become available in the environment of the callback phase...

Session fixation

In strategy.rb in OmniAuth before 1.3.2, the authenticitytoken value is improperly protected because POST in addition to GET parameters are stored in the session and become available in the environment of the callback phase...

CVE-2017-18076

In strategy.rb in OmniAuth before 1.3.2, the authenticitytoken value is improperly protected because POST in addition to GET parameters are stored in the session and become available in the environment of the callback phase...

CVE-2017-18076

CVE-2017-18076 affects the OmniAuth Ruby library, specifically the code path in strategy.rb prior to version 1.3.2. The vulnerability stems from POST parameters being stored in the session in addition to GET parameters, which makes the authenticity_token (CSRF token) available in the callback pha...

CVE-2017-18076

In strategy.rb in OmniAuth before 1.3.2, the authenticitytoken value is improperly protected because POST in addition to GET parameters are stored in the session and become available in the environment of the callback phase...

omniauth leaks authenticity token in callback params

In strategy.rb in OmniAuth before 1.3.2, the authenticitytoken value is improperly protected because POST in addition to GET parameters are stored in the session and become available in the environment of the callback phase...