oss-sec mailing list archives

Cross-Site Request Forgery in Spina CMS

From: Tomek Rabczak <tomek () matasano com>
Date: Tue, 16 Jun 2015 10:19:02 -0500

I discovered the lack of protect_from_forgery in Spina CMS
(http://www.spinacms.com/) which is a Rails engine that users can use in their
Rails applications. This causes a CSRF vulnerability across the entire engine
which includes administrative functionality such as creating users, changing
passwords, and media management. A fix has been pushed and can be found here:
https://github.com/denkGroot/Spina/commit/bfe44f289e336f80b6593032679300c493735e75.

I'd like to request a CVE for this vulnerability.

Thanks,
Tomek Rabczak

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

Current thread:

Cross-Site Request Forgery in Spina CMS Tomek Rabczak (Jun 16)
- Re: Cross-Site Request Forgery in Spina CMS cve-assign (Jun 16)