Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
Related vulnerabilities
GSD-2013-4562
Vulnerability from gsd - Updated: 2013-11-12 00:00Details
omniauth-facebook Gem for Ruby contains a flaw as HTTP requests do not
require multiple steps, explicit confirmation, or a unique token when
performing certain sensitive actions. By tricking a user into following
a specially crafted link, a context-dependent attacker can perform a
Cross-Site Request Forgery (CSRF / XSRF) attack causing the victim to
perform an unspecified action.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2013-4562",
"description": "The omniauth-facebook gem 1.4.1 before 1.5.0 does not properly store the session parameter, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via the state parameter.",
"id": "GSD-2013-4562",
"references": [
"https://www.suse.com/security/cve/CVE-2013-4562.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "omniauth-facebook",
"purl": "pkg:gem/omniauth-facebook"
}
}
],
"aliases": [
"CVE-2013-4562",
"OSVDB-99693"
],
"details": "omniauth-facebook Gem for Ruby contains a flaw as HTTP requests do not\nrequire multiple steps, explicit confirmation, or a unique token when\nperforming certain sensitive actions. By tricking a user into following\na specially crafted link, a context-dependent attacker can perform a\nCross-Site Request Forgery (CSRF / XSRF) attack causing the victim to\nperform an unspecified action.\n",
"id": "GSD-2013-4562",
"modified": "2013-11-12T00:00:00.000Z",
"published": "2013-11-12T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4562"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 6.8,
"type": "CVSS_V2"
}
],
"summary": "omniauth-facebook Gem for Ruby Unspecified CSRF"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-4562",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The omniauth-facebook gem 1.4.1 before 1.5.0 does not properly store the session parameter, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via the state parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20131112 CVE request: rubygem omniauth-facebook CSRF vurnerability",
"refsource": "MLIST",
"url": "http://seclists.org/oss-sec/2013/q4/264"
},
{
"name": "99693",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/99693"
},
{
"name": "https://github.com/mkdynamic/omniauth-facebook/commit/ccfcc26fe7e34acbd75ad4a095fd01ce5ff48ee7",
"refsource": "CONFIRM",
"url": "https://github.com/mkdynamic/omniauth-facebook/commit/ccfcc26fe7e34acbd75ad4a095fd01ce5ff48ee7"
},
{
"name": "[ruby-security-ann] 20131114 [CVE-2013-4562] RubyGem omniauth-facebook CSRF vulnerability",
"refsource": "MLIST",
"url": "https://groups.google.com/d/msg/ruby-security-ann/-tJHNlTiPh4/9SJxdEWLIawJ"
},
{
"name": "http://osvdb.org/ref/99/omniauth-facebook_gem.txt",
"refsource": "MISC",
"url": "http://osvdb.org/ref/99/omniauth-facebook_gem.txt"
},
{
"name": "[oss-security] 20131112 Re: Re: CVE request: rubygem omniauth-facebook CSRF vurnerability",
"refsource": "MLIST",
"url": "http://seclists.org/oss-sec/2013/q4/267"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2013-4562",
"cvss_v2": 6.8,
"date": "2013-11-12",
"description": "omniauth-facebook Gem for Ruby contains a flaw as HTTP requests do not\nrequire multiple steps, explicit confirmation, or a unique token when\nperforming certain sensitive actions. By tricking a user into following\na specially crafted link, a context-dependent attacker can perform a\nCross-Site Request Forgery (CSRF / XSRF) attack causing the victim to\nperform an unspecified action.\n",
"gem": "omniauth-facebook",
"osvdb": 99693,
"patched_versions": [
"\u003e= 1.5.0"
],
"title": "omniauth-facebook Gem for Ruby Unspecified CSRF",
"unaffected_versions": [
"\u003c= 1.4.0"
],
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4562"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "1.4.1",
"affected_versions": "Version 1.4.1",
"credit": "Egor Homakov (@homakov)",
"cvss_v2": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"cwe_ids": [
"CWE-1035",
"CWE-352",
"CWE-937"
],
"date": "2014-05-14",
"description": "The package omniauth-facebook is vulnerable to CSRF.",
"fixed_versions": [
"1.5.0"
],
"identifier": "CVE-2013-4562",
"identifiers": [
"CVE-2013-4562"
],
"not_impacted": "\u003c= 1.4.0",
"package_slug": "gem/omniauth-facebook",
"pubdate": "2014-05-13",
"solution": "Upgrade to 1.5.0 (cf: link for the patch prepared to release).",
"title": "CSRF vulnerability",
"urls": [
"https://github.com/mkdynamic/omniauth-facebook/commit/ccfcc26fe7e34acbd75ad4a095fd01ce5ff48ee7"
],
"uuid": "fad17516-b163-4d0d-a595-6e3441ab4b8b"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:madeofcode:omniauth-facebook:1.4.1:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-4562"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "The omniauth-facebook gem 1.4.1 before 1.5.0 does not properly store the session parameter, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via the state parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20131112 Re: Re: CVE request: rubygem omniauth-facebook CSRF vurnerability",
"refsource": "MLIST",
"tags": [],
"url": "http://seclists.org/oss-sec/2013/q4/267"
},
{
"name": "[ruby-security-ann] 20131114 [CVE-2013-4562] RubyGem omniauth-facebook CSRF vulnerability",
"refsource": "MLIST",
"tags": [],
"url": "https://groups.google.com/d/msg/ruby-security-ann/-tJHNlTiPh4/9SJxdEWLIawJ"
},
{
"name": "99693",
"refsource": "OSVDB",
"tags": [],
"url": "http://www.osvdb.org/99693"
},
{
"name": "[oss-security] 20131112 CVE request: rubygem omniauth-facebook CSRF vurnerability",
"refsource": "MLIST",
"tags": [],
"url": "http://seclists.org/oss-sec/2013/q4/264"
},
{
"name": "https://github.com/mkdynamic/omniauth-facebook/commit/ccfcc26fe7e34acbd75ad4a095fd01ce5ff48ee7",
"refsource": "CONFIRM",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/mkdynamic/omniauth-facebook/commit/ccfcc26fe7e34acbd75ad4a095fd01ce5ff48ee7"
},
{
"name": "http://osvdb.org/ref/99/omniauth-facebook_gem.txt",
"refsource": "MISC",
"tags": [],
"url": "http://osvdb.org/ref/99/omniauth-facebook_gem.txt"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": true
}
},
"lastModifiedDate": "2014-05-14T17:19Z",
"publishedDate": "2014-05-13T15:55Z"
}
}
}