Fix CVE in README

[marvinthepa]

CVE-2015-9284 is an old CSRF Bug in Omniauth, has nothing to do with CVE-2019-25025 which is a timing attack against session ids.

[sikachu]

🤦‍♂️ thank you very much.

I'll update release note and everything for this correction.

[thorsteneckel]

I'm really sorry - that was my fault. I copied the wrong CVE from our bundle-audit exclusion 🤦‍♂️ Thanks for looking out @marvinthepa and sorry for the extra work @sikachu