Omniauth: >> Omniauth >> 1.1.0 Security Vulnerabilities
lib/omniauth/failure_endpoint.rb in OmniAuth before 1.9.2 (and before 2.0) does not escape the message_key value.
CVSS Score
9.8
EPSS Score
0.003
Published
2022-08-18
The request phase of the OmniAuth Ruby gem (1.9.1 and earlier) is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account.
CVSS Score
8.8
EPSS Score
0.008
Published
2019-04-26
In strategy.rb in OmniAuth before 1.3.2, the authenticity_token value is improperly protected because POST (in addition to GET) parameters are stored in the session and become available in the environment of the callback phase.
CVSS Score
7.5
EPSS Score
0.005
Published
2018-01-26