Vulnerabilities > Omniauth

DATE CVE VULNERABILITY TITLE RISK
2024-09-10 CVE-2024-45409 The Ruby SAML library is for implementing the client side of a SAML authorization.
network
low complexity
onelogin omniauth gitlab
critical
9.8
2022-08-18 CVE-2020-36599 Improper Encoding or Escaping of Output vulnerability in Omniauth
lib/omniauth/failure_endpoint.rb in OmniAuth before 1.9.2 (and before 2.0) does not escape the message_key value.
network
low complexity
omniauth CWE-116
critical
9.8
2019-04-26 CVE-2015-9284 Cross-Site Request Forgery (CSRF) vulnerability in Omniauth
The request phase of the OmniAuth Ruby gem (1.9.1 and earlier) is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user.
network
low complexity
omniauth CWE-352
8.8
2019-04-17 CVE-2017-11430 Improper Authentication vulnerability in Omniauth Saml
OmniAuth OmnitAuth-SAML 1.9.0 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers.
network
low complexity
omniauth CWE-287
critical
9.8
2018-01-26 CVE-2017-18076 In strategy.rb in OmniAuth before 1.3.2, the authenticity_token value is improperly protected because POST (in addition to GET) parameters are stored in the session and become available in the environment of the callback phase.
network
low complexity
omniauth debian
7.5