Cross-site Request Forgery (CSRF) Affecting actionpack package, versions >= 3.0.0, <= 3.0.3 >= 2.1.0, <= 2.3.10


0.0
medium

Snyk CVSS

    Attack Complexity Low
    User Interaction Required

    Threat Intelligence

    EPSS 0.38% (73rd percentile)
Expand this section
NVD
6.3 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-RUBY-ACTIONPACK-20275
  • published 28 Feb 2017
  • disclosed 8 Feb 2011
  • credit Felix Gröbert

Overview

actionpack is a web app builder and tester on Rails. Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) attacks.

Details

HTTP requests are not properly validated, and will allow requests containing an X-Requested-With header to be manipulated by an attacker. By spoofing AJAX requests and API requests that leverage a combination of browser plugins and HTTP redirects, an attacker may bypass the built in CSRF protection and successfully attack an application.