mirror of
https://github.com/0xMarcio/cve.git
synced 2025-11-30 18:56:19 +00:00
1.6 KiB
1.6 KiB
CVE-2015-9284
%20(CWE-352)&color=brighgreen)
Description
The request phase of the OmniAuth Ruby gem (1.9.1 and earlier) is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account.
POC
Reference
No PoCs from references.
Github
- https://github.com/18F/omniauth_login_dot_gov
- https://github.com/ARPSyndicate/cvemon
- https://github.com/YuriAkita/omniauth_clone
- https://github.com/cookpad/omniauth-rails_csrf_protection
- https://github.com/deepin-community/ruby-omniauth
- https://github.com/evilmartians/omniauth-ebay-oauth
- https://github.com/hakanensari/amazon-omniauth-sandbox
- https://github.com/jcpny1/recipe-cat
- https://github.com/jonathanbruno/omniauth-ebay-oauth
- https://github.com/liukun-lk/omniauth-dingtalk
- https://github.com/omniauth/omniauth
- https://github.com/pixielabs/balrog
- https://github.com/rainchen/code_quality
- https://github.com/rubyonjets/omniauth-jets_csrf_protection
- https://github.com/shotgunsoftware/omniauth-forge
- https://github.com/umd-lib/archelon
- https://github.com/ytojima/devise_omniauth-google-oauth2_sample