漏洞标题
在 better_errors 中实现跨站点请求伪造
漏洞描述信息
better_errors中的跨站请求伪造(Cross-Site Request Forgery)
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
漏洞类别
N/A
漏洞标题
Cross-Site Request Forgery in better_errors
漏洞描述信息
better_errors is an open source replacement for the standard Rails error page with more information rich error pages. It is also usable outside of Rails in any Rack app as Rack middleware. better_errors prior to 2.8.0 did not implement CSRF protection for its internal requests. It also did not enforce the correct "Content-Type" header for these requests, which allowed a cross-origin "simple request" to be made without CORS protection. These together left an application with better_errors enabled open to cross-origin attacks. As a developer tool, better_errors documentation strongly recommends addition only to the `development` bundle group, so this vulnerability should only affect development environments. Please ensure that your project limits better_errors to the `development` group (or the non-Rails equivalent). Starting with release 2.8.x, CSRF protection is enforced. It is recommended that you upgrade to the latest release, or minimally to "~> 2.8.3". There are no known workarounds to mitigate the risk of using older releases of better_errors.
CVSS信息
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
漏洞类别
跨站请求伪造(CSRF)
漏洞标题
Better Errors跨站请求伪造漏洞
漏洞描述信息
Better Errors是一个更好、更有用的错误页面替换了标准的 Rails 错误页面。 Better Errors 2.8.0之前版本存在跨站请求伪造漏洞,该漏洞源于软件没有为其内部请求实现CSRF保护。它也没有对这些请求强制执行并检查正确的“Content-Type”标头,这使得跨站的“简单请求”可以在没有CORS保护的情况下发出。这些因素共同导致应用程序容易受到跨站攻击。
CVSS信息
N/A
漏洞类别
跨站请求伪造