CVE-2016-3098: Cross-site request forgery

April 1, 2016

Administrate::ApplicationController actions don’t have CSRF protection. Remote attackers can hijack user’s sessions and use any functionality that administrate exposes on their behalf.

References

seclists.org/oss-sec/2016/q2/0
github.com/thoughtbot/administrate/blob/master/CHANGELOG.md
github.com/thoughtbot/administrate/commit/be738a54b866191bf49664d8c6116587fb971759

Detect and mitigate CVE-2016-3098 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →