CVE-2008-7248

Improper Input Validation in gem/actionpack

Identifiers

GHSA-8fqx-7pv4-3jwm, CVE-2008-7248

Package Slug

gem/actionpack

Vulnerability

Improper Input Validation

Description

Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify tokens for requests with certain content types, which allows remote attackers to bypass cross-site request forgery (CSRF) protection for requests to applications that rely on this protection, as demonstrated using text/plain.

Affected Versions

All versions starting from 2.1.0 before 2.1.3, all versions starting from 2.2.0 before 2.2.2

Solution

Upgrade to versions 2.1.3, 2.2.2 or above.

Last Modified

2023-05-29

source