Please sign in to comment.
`Administrate::ApplicationController` didn't call `protect_from_forgery`, which means that non-GET methods don’t validate CSRF tokens. Thus, it is possible for an attacker to hijack user session's and act on administrate actions on their behalf. Thanks to Jason Yeo (@jsyeo) of SRC:CLR for finding and reporting this vulnerability. CVE-2016-3098
Showing with 2 additions and 0 deletions.