CVE-2021-29435, GHSA-h8hx-2c5r-32cf
gem/trestle-auth
Cross-Site Request Forgery (CSRF)
trestle-auth is an authentication plugin for the Trestle admin framework. A vulnerability in trestle-auth allows an attacker to create a form that will bypass Rails' built-in CSRF protection when submitted by a victim with a trestle-auth admin session. This potentially allows an attacker to alter protected data, including admin account credentials.
All versions starting from 0.4.0 up to 0.4.1
Upgrade to version 0.4.2 or above.
2021-04-30
source |