CVE-2016-10522: Cross-Site Request Forgery (CSRF)

July 5, 2018 (updated October 9, 2019)

rails_admin is vulnerable to cross-site request forgery (CSRF) attacks. Non-GET methods were not validating CSRF tokens and, as a result, an attacker could hypothetically gain access to the application administrative endpoints exposed by the gem.

References

github.com/sferik/rails_admin/commit/b13e879eb93b661204e9fb5e55f7afa4f397537a
nvd.nist.gov/vuln/detail/CVE-2016-10522
www.sourceclear.com/blog/Rails_admin-Vulnerability-Disclosure/
www.sourceclear.com/registry/security/cross-site-request-forgery-csrf-/ruby/sid-3173

Code Behaviors & Features

Detect and mitigate CVE-2016-10522 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →