Ruby on Rails CSRF protection bypass vulnerability

There is a vulnerability in Ruby on Rails which could allow an attacker to circumvent the CSRF protection provided.

The issue affects versions 2.1.0 and above and has been fixed in versions 3.0.4 and 2.3.11.

Certain combinations of browser plugins and HTTP redirects can be used to trick the user’s browser into making cross-domain requests which include arbitrary HTTP headers specified by the attacker.

An attacker can utilize this to spoof ajax and API requests and bypass the built in CSRF protection and successfully attack an application. All users running an affected release should upgrade or apply the patches immediately.

More about

Don't miss