CVE-2013-4562
The omniauth-facebook gem 1.4.1 before 1.5.0 does not properly store the session parameter, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via the state parameter.
Ver en NVDSeveridad
N/A
EPSS
Probabilidad de explotación (próx. 30 días): 0.0048 (0.5%)
Percentil: 65.2%
EPSS: 2026-05-06
Afecta
madeofcode:omniauth-facebookDescripción técnica
The omniauth-facebook gem 1.4.1 before 1.5.0 does not properly store the session parameter, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via the state parameter.
Publicada: 13/5/2014, 15:55:04
Última modificación: 6/5/2026, 22:30:45
Referencias
- http://osvdb.org/ref/99/omniauth-facebook_gem.txt
- http://seclists.org/oss-sec/2013/q4/264
- http://seclists.org/oss-sec/2013/q4/267
- http://www.osvdb.org/99693
- https://github.com/mkdynamic/omniauth-facebook/commit/ccfcc26fe7e34acbd75ad4a095fd01ce5ff48ee7
- https://groups.google.com/d/msg/ruby-security-ann/-tJHNlTiPh4/9SJxdEWLIawJ
- http://osvdb.org/ref/99/omniauth-facebook_gem.txt
- http://seclists.org/oss-sec/2013/q4/264