trestle-auth is vulnerable to cross-site request forgery. An attacker is able to create a form that will bypass Rails’ built-in CSRF protection when submitted by a victim with a trestle-auth admin session, allowing to alter protected data, including admin account credentials.
CPE | Name | Operator | Version |
---|---|---|---|
trestle-auth | le | 0.4.1 |