CVE-2013-4562

Published: May 13, 2014Modified: May 6, 2026

6.8

Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability: 8.6 / Impact: 6.4

Source: NVD

Description

The omniauth-facebook gem 1.4.1 before 1.5.0 does not properly store the session parameter, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via the state parameter.

Affected (1)

Products: Madeofcode: Omniauth Facebook

Madeofcode

1 product

Omniauth Facebook

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Madeofcode Omniauth Facebook	Version 1.4.1

Related CWEs

CWE-352

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (12)

http://osvdb.org/ref/99/omniauth-facebook_gem.txt

Source: secalert@redhat.com

http://seclists.org/oss-sec/2013/q4/264

Source: secalert@redhat.com

http://seclists.org/oss-sec/2013/q4/267

Source: secalert@redhat.com

http://www.osvdb.org/99693

Source: secalert@redhat.com

https://github.com/mkdynamic/omniauth-facebook/commit/ccfcc26fe7e34acbd75ad4a095fd01ce5ff48ee7

Source: secalert@redhat.com

ExploitPatch

https://groups.google.com/d/msg/ruby-security-ann/-tJHNlTiPh4/9SJxdEWLIawJ

Source: secalert@redhat.com

http://osvdb.org/ref/99/omniauth-facebook_gem.txt