Homakov

**Name of the Vulnerable Software and Affected Versions** omniauth-facebook (affected versions not specified) **Description** The RubyGem omniauth-facebook has an access token security issue. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** jQuery UI versions prior to 1.10.0 **Description** A cross-site scripting (XSS) issue exists in the default content option in jquery.ui.tooltip.js in the Tooltip widget. This allows remote attackers to inject arbitrary web script or HTML via the title attribute, which is not properly handled in the autocomplete combo box demo. **Recommendations** For versions prior to 1.10.0, update to version 1.10.0 or later to resolve the issue. As a temporary workaround, consider disabling the use of the title attribute in the autocomplete combo box demo until a patch is available. Restrict access to the Tooltip widget to minimize the risk of exploitation. Avoid using the title attribute in the affected widget until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** omniauth-facebook gem versions 1.4.1 through 1.4.1 **Description** The issue allows remote attackers to conduct cross-site request forgery (CSRF) attacks via the `state` parameter, due to improper storage of the session parameter. **Recommendations** For omniauth-facebook gem version 1.4.1, update to version 1.5.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** omniauth-oauth2 gem versions 1.1.1 and earlier **Description** The issue is a cross-site request forgery (CSRF) vulnerability that allows remote attackers to hijack the authentication of users for requests that modify session state. This is a type of attack where an attacker tricks a user into performing unintended actions on a web application that the user is authenticated to. **Recommendations** For omniauth-oauth2 gem versions 1.1.1 and earlier, update to a version later than 1.1.1 to resolve the issue. At the moment, there is no information about additional mitigation measures for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 25.0.1364.152 **Description** The issue allows remote attackers to obtain sensitive HTTP Referer information. **Recommendations** For versions prior to 25.0.1364.152, update to version 25.0.1364.152 or later to resolve the issue.