3 matches found
CVE-2015-8314
CVE-2015-8314 affects the Devise gem for Ruby prior to 3.5.4, where the Remember Me cookie handling is flawed. This flaw may allow an attacker to obtain unauthorized persistent access to an application by leveraging the compromised cookie. The issue is reported across multiple sources (Red Hat, D...
CVE-2026-40295
CVE-2026-40295 affects Devise (Rails/Warden) where FailureApp#redirect_url returns request.referrer for non-GET timeouts, enabling open redirects to attacker-controlled URLs. This occurs in Devise 5.0.3 and earlier and can cause phishing or malware delivery by redirecting expired-session users to...
CVE-2026-32700
Devise (Rails) prior to v5.0.3 has a race condition in the Confirmable module used with reconfirmable, allowing an attacker to confirm a victim’s email by issuing two concurrent email-change requests. This desynchronizes confirmation_token and unconfirmed_email; the attacker controls the token’s ...