Cross-site Request Forgery (CSRF) Affecting devise_invitable package, versions <1.3.5
Snyk CVSS
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-RUBY-DEVISEINVITABLE-20356
- published 28 Mar 2017
- disclosed 9 Apr 2014
- credit Nicola Racco
How to fix?
Upgrade devise_invitable to version 1.3.5 or higher.
Overview
devise_invitable adds support for send invitations by email (it requires to be authenticated) and accept the invitation by setting a password.
Affected versions of the package are vulnerable to Cross-site Request Forgery (CSRF) attacks when the forgery protection strategy is set to :null_session or :reset_session. The value returned by the current_inviter function is memoized before the session is checked, so the session is cleaned but the current inviter remains memoized. Thus attackers can use the CSRF token to authenticate malicious requests.