CVE-2020-16252

Published about 2 months ago
Category: Cross-Site Request Forgery
Source: GitHub
Severity: Moderate

Vulnerability in field_test

The Field Test dashboard is vulnerable to CSRF with non-session based authentication methods.

Impact

The Field Test dashboard is vulnerable to CSRF with non-session based authentication methods, like basic authentication. Session-based authentication methods (like Devise’s default authentication) are not affected.

A CSRF attack works by getting an authorized user to visit a malicious website and then performing requests on behalf of the user. In this instance, a single endpoint is affected, which allows for changing the variant assigned to a user.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

>= 0.4.0

Unaffected Versions

< 0.2.0

References

n/a