← Back

Omniauth

omniauth

Vendor: Omniauth • 3 CVEs

CVEs (3)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
CVE-2020-36599
1Omniauth
1Omniauth
Nov 21, 2024
Aug 18, 2022
N/A· v4
9.8 CRITICAL· v3
N/A· v2
lib/omniauth/failure_endpoint.rb in OmniAuth before 1.9.2 (and before 2.0) does not escape the message_key value.
CVE-2015-9284
1Omniauth
1Omniauth
Nov 21, 2024
Apr 26, 2019
N/A· v4
8.8 HIGH· v3
6.8 MEDIUM· v2
The request phase of the OmniAuth Ruby gem (1.9.1 and earlier) is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user int...Show more
The request phase of the OmniAuth Ruby gem (1.9.1 and earlier) is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account.Show less
CVE-2017-18076
2Debian
Omniauth
2Debian Linux
Omniauth
Nov 21, 2024
Jan 26, 2018
N/A· v4
7.5 HIGH· v3
5.0 MEDIUM· v2
In strategy.rb in OmniAuth before 1.3.2, the authenticity_token value is improperly protected because POST (in addition to GET) parameters are stored in the session and become available in the environment of the callback...Show more
In strategy.rb in OmniAuth before 1.3.2, the authenticity_token value is improperly protected because POST (in addition to GET) parameters are stored in the session and become available in the environment of the callback phase.Show less