CVE-2020-16252

Name of the Vulnerable Software and Affected Versions Field Test gem versions 0.2.0 through 0.3.2

Description The Field Test dashboard is vulnerable to cross-site request forgery (CSRF) with non-session based authentication methods. This issue allows an attacker to perform requests on behalf of an authorized user by getting them to visit a malicious website. A single endpoint is affected, which allows for changing the variant assigned to a user. Session-based authentication methods are not affected.

Recommendations For versions 0.2.0 through 0.3.2, upgrade immediately to a newer version that includes the fix, which changes the protect from forgery method to protect from forgery with: :exception to prevent CSRF attacks. As a temporary workaround, consider restricting access to the affected endpoint to minimize the risk of exploitation.