CVE-2021-29435

Cross-Site Request Forgery (CSRF) in gem/trestle-auth

Identifiers

CVE-2021-29435, GHSA-h8hx-2c5r-32cf

Package Slug

gem/trestle-auth

Vulnerability

Cross-Site Request Forgery (CSRF)

Description

trestle-auth is an authentication plugin for the Trestle admin framework. A vulnerability in trestle-auth allows an attacker to create a form that will bypass Rails' built-in CSRF protection when submitted by a victim with a trestle-auth admin session. This potentially allows an attacker to alter protected data, including admin account credentials.

Affected Versions

All versions starting from 0.4.0 up to 0.4.1

Solution

Upgrade to version 0.4.2 or above.

Last Modified

2021-04-30

source