PT-2019-14515 · Plataformatec · Devise
Published
2019-09-08
·
Updated
2020-08-24
·
CVE-2019-16109
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Plataformatec Devise versions prior to 4.7.1
Description
An issue was discovered that confirms accounts upon receiving a request with a blank
confirmation token, if a database record has a blank value in the confirmation token column. However, there is no scenario within the software itself in which such database records would exist.Recommendations
For versions prior to 4.7.1, update to version 4.7.1 or later to resolve the issue.
Exploit
Fix
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Devise