oss-sec mailing list archives
Cross-Site Request Forgery in Spina CMS
From: Tomek Rabczak <tomek () matasano com>
Date: Tue, 16 Jun 2015 10:19:02 -0500
I discovered the lack of protect_from_forgery in Spina CMS (http://www.spinacms.com/) which is a Rails engine that users can use in their Rails applications. This causes a CSRF vulnerability across the entire engine which includes administrative functionality such as creating users, changing passwords, and media management. A fix has been pushed and can be found here: https://github.com/denkGroot/Spina/commit/bfe44f289e336f80b6593032679300c493735e75. I'd like to request a CVE for this vulnerability. Thanks, Tomek Rabczak
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
Current thread:
- Cross-Site Request Forgery in Spina CMS Tomek Rabczak (Jun 16)
- Re: Cross-Site Request Forgery in Spina CMS cve-assign (Jun 16)