What the vulnerability does

01Description

The request phase of the OmniAuth Ruby gem (1.9.1 and earlier) is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account.

Key dates

02Disclosure timeline

April 26, 2019 CVE published
August 6, 2024 Record updated

Related vulnerabilities

04Related CVE