Posts tagged "security fix"
A security bug (CVE-2015-8314) has been reported in Devise’s remember me system. Devise implements the “Remember me” functionality by using cookies. While this functionality works across multiple devices, Devise ended-up generating the same cookie for all devices. Consequently, if a malicious user was able to steal a remember me cookie, the cookie could be used … »
Tags: devise, security fix, Posted in English, 5 Comments »
There is a XSS vulnerability on Simple Form’s error options. Versions affected: >= 2.0.0 Not affected: < 2.0.0 Fixed versions: 3.1.0, 3.0.3, 2.1.2 Impact When Simple Form renders an error message it marks the text as being HTML safe, even though it may contain HTML tags. In applications where the error message can be provided … »
Tags: open source, security fix, simple form, Posted in English, Comments Off on XSS vulnerability on Simple Form
There is a XSS vulnerability on Simple Form’s label, hint and error options. Fixed versions: 3.0.1, 2.1.1
Tags: security fix, simple_form, Posted in English, Comments Off on XSS vulnerability on Simple Form
It has been reported that malicious users can do e-mail enumeration on sign in via timing attacks despite paranoid mode being enabled. Whenever you try to reset your password or confirm your account, Devise gives you precise information on how to proceed, if the e-mail given is valid, if the token has not expired and … »
Tags: devise, security fix, Posted in English, Comments Off on E-mail enumeration in Devise in paranoid mode
We are glad to announce that Devise 3.1.0.rc is out. On this version, we have focused on some security enhancements regarding our defaults and the deprecation of TokenAuthenticatable. This blog post explains the rationale behind those changes and how to upgrade. Devise 3.1.0.rc runs on both Rails 3.2 and Rails 4.0. There is a TL;DR … »
Tags: devise, rails, security fix, Posted in English, 6 Comments »
Devise has been reported to be vulnerable to CSRF token fixation attacks. The attack can only be exploited if the attacker can set the target session, either by subdomain cookies (similar to described here) or by fixation over the same Wi-Fi network. If the user knows the CSRF token, cross-site forgery requests can be made. … »
Tags: devise, rails, security fix, Posted in English, Comments Off on CSRF token fixation attacks in Devise