4 matches found
CVE-2026-32700
Devise is an authentication solution for Rails based on Warden. Prior to version 5.0.3, a race condition in Devise's Confirmable module allows an attacker to confirm an email address they do not own. This affects any Devise application using the reconfirmable option the default when using...
Devise has a confirmable "change email" race condition permits user to confirm email they have no access to
Impact A race condition in Devise's Confirmable module allows an attacker to confirm an email address they do not own. This affects any Devise application using the reconfirmable option the default when using Confirmable with email changes. By sending two concurrent email change requests, an...
Insufficient Verification of Data Authenticity
Overview mantisbt/mantisbt is a mantis bug tracker. Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity in the email address change. An attacker can cause unauthorized disclosure of information by updating their profile with an email address they do...
PT-2022-23161 · Unknown · Rubygems.Org
Name of the Vulnerable Software and Affected Versions: RubyGems.org affected versions not specified Description: A bug in the password and email change confirmation code allowed an attacker to change their RubyGems.org account's email to an unowned email address. This could enable the attacker to...