OSVDB-114435: CSRF token fixation attacks

August 2, 2013

Devise has been reported to be vulnerable to CSRF token fixation attacks. The attack can only be exploited if the attacker can set the target session, either by subdomain cookies or by fixation over the same Wi-Fi network. If the user knows the CSRF token, cross-site forgery requests can be made.

References

blog.plataformatec.com.br/2013/08/csrf-token-fixation-attacks-in-devise/
homakov.blogspot.com.es/2013/06/cookie-forcing-protection-made-easy.html

Detect and mitigate OSVDB-114435 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →