Closed kanevk closed 4 years ago
I don't think so, but I haven't confirmed. It seems to be specifically related to OAuth clients.
Impact is described over here https://github.com/omniauth/omniauth/pull/809
The request phase in OmniAuth is currently vulnerable to Cross-Site Request Forgery, which allows an attacker to easily gain full access to a user's account on a site that uses OmniAuth, when used in combination with another CSRF vulnerability on the side of a connected OAuth provider.
Hello,
is the security vulnerability CVE-2015-9284 concerns
omniauth-saml
gem?