DescriptionRuby on Rails 2.1.x, 2.2.x, and 2.3.x before 2.3.11, and 3.x before 3.0.4, does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged (1) AJAX or (2) API requests that leverage "combinations of browser plugins and HTTP redirects," a related issue to CVE-2011-0696.
Overall state of this security issue: Resolved
This issue is currently rated as having moderate severity.
|National Vulnerability Database|
SUSE Security Advisories:
- SUSE-SU-2012:0434-1, published Fri Mar 30 11:08:17 MDT 2012
- openSUSE-SU-2011:1305-1, published Wed, 7 Dec 2011 15:08:17 +0100 (CET)
List of released packages
|Product(s)||Fixed package version(s)||References|
|SUSE Studio Onsite Runner 1.2|| ||Patchnames: |
SUSE Timeline for this CVECVE page created: Fri Jun 28 04:22:19 2013
CVE page last modified: Tue Nov 29 12:04:16 2022