omniauth is vulnerable to cross-site request forgery (CSRF). The request phase does not verify the authenticity of client requests, which allows a remote attacker to gain full access to a user’s account on a site that uses OmniAuth when used in combination with another CSRF vulnerability on the side of a connected OAuth provider.
CPE | Name | Operator | Version |
---|---|---|---|
omniauth | le | 2.0.0.pre.rc1 | |
ruby-omniauth:sid | eq | 1.9.1-1 | |
ruby-omniauth:bookworm | eq | 1.9.1-1 |