CVE-2008-7248
Ruby on Rails 2.3.5 - 'protect_from_forgery' Cross-Site Request Forgery
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
2Exploited in Wild
-Decision
Descriptions
Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify tokens for requests with certain content types, which allows remote attackers to bypass cross-site request forgery (CSRF) protection for requests to applications that rely on this protection, as demonstrated using text/plain.
Ruby on Rails v2.1 anteriores a v2.1.3 y v2.2.x anteriores a v2.2.2 no verifica los token en peticiones con ciertos tipos de contenido, lo que permite a atacantes remotos evitar la protección contra la falsificación de petición en sitios cruzados (CSRF) para peticiones de aplicaciones que la requieren con se demuestra en el uso de texto plano.
Multiple vulnerabilities have been discovered in Rails, the worst of which leading to the execution of arbitrary SQL statements. Versions less than 2.2.2 are affected.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2009-12-11 CVE Reserved
- 2009-12-16 CVE Published
- 2014-05-18 First Exploit
- 2024-08-07 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-20: Improper Input Validation
CAPEC
References (11)
URL | Tag | Source |
---|---|---|
http://groups.google.com/group/rubyonrails-security/browse_thread/thread/d741ee286e36e301?hl=en | X_refsource_misc | |
http://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup | X_refsource_misc | |
http://secunia.com/advisories/38915 | Third Party Advisory | |
http://weblog.rubyonrails.org/2008/11/18/potential-circumvention-of-csrf-protection-in-rails-2-1 | X_refsource_confirm | |
http://www.openwall.com/lists/oss-security/2009/11/28/1 | Mailing List |
|
http://www.openwall.com/lists/oss-security/2009/12/02/2 | Mailing List |
|
URL | Date | SRC |
---|---|---|
https://www.exploit-db.com/exploits/33402 | 2014-05-18 | |
http://www.rorsecurity.info/journal/2008/11/19/circumvent-rails-csrf-protection.html | 2024-08-07 |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html | 2023-02-13 | |
http://secunia.com/advisories/36600 | 2023-02-13 | |
http://www.vupen.com/english/advisories/2009/2544 | 2023-02-13 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 2.1.0 Search vendor "Rubyonrails" for product "Rails" and version "2.1.0" | - |
Affected
| ||||||
Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 2.1.1 Search vendor "Rubyonrails" for product "Rails" and version "2.1.1" | - |
Affected
| ||||||
Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 2.1.2 Search vendor "Rubyonrails" for product "Rails" and version "2.1.2" | - |
Affected
| ||||||
Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 2.2.0 Search vendor "Rubyonrails" for product "Rails" and version "2.2.0" | - |
Affected
| ||||||
Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 2.2.1 Search vendor "Rubyonrails" for product "Rails" and version "2.2.1" | - |
Affected
|