Vulnerability in field_test
The Field Test dashboard is vulnerable to CSRF with non-session based authentication methods.
The Field Test dashboard is vulnerable to CSRF with non-session based authentication methods, like basic authentication. Session-based authentication methods (like Devise’s default authentication) are not affected.
A CSRF attack works by getting an authorized user to visit a malicious website and then performing requests on behalf of the user. In this instance, a single endpoint is affected, which allows for changing the variant assigned to a user.
|Access Vector||Access Complexity||Authentication||Confidentiality Impact||Integrity Impact||Availability Impact|