CVE-2015-9284

Name of the Vulnerable Software and Affected Versions OmniAuth Ruby gem versions 1.9.2 and earlier

Description The request phase of the OmniAuth Ruby gem is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework. This allows accounts to be connected without user intent, user interaction, or feedback to the user, permitting a secondary account to sign into the web application as the primary account.

Recommendations For OmniAuth Ruby gem versions 1.9.2 and earlier, update to version 2 or later and ensure that the default configuration is not modified to reintroduce the vulnerability. As a temporary workaround, consider configuring OmniAuth according to the recommended remediation to minimize the risk of exploitation.