CVEs-PoC/2015/CVE-2015-9284.md

### [CVE-2015-9284](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9284)
![](https://img.shields.io/static/v1?label=Product&message=omniauth%20ruby%20gem&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Vulnerability&message=Cross-Site%20Request%20Forgery%20(CSRF)%20(CWE-352)&color=brighgreen)

### Description

The request phase of the OmniAuth Ruby gem (1.9.1 and earlier) is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/18F/omniauth_login_dot_gov
- https://github.com/ARPSyndicate/cvemon
- https://github.com/YuriAkita/omniauth_clone
- https://github.com/cookpad/omniauth-rails_csrf_protection
- https://github.com/deepin-community/ruby-omniauth
- https://github.com/evilmartians/omniauth-ebay-oauth
- https://github.com/hakanensari/amazon-omniauth-sandbox
- https://github.com/jcpny1/recipe-cat
- https://github.com/jonathanbruno/omniauth-ebay-oauth
- https://github.com/liukun-lk/omniauth-dingtalk
- https://github.com/omniauth/omniauth
- https://github.com/pixielabs/balrog
- https://github.com/rainchen/code_quality
- https://github.com/rubyonjets/omniauth-jets_csrf_protection
- https://github.com/shotgunsoftware/omniauth-forge
- https://github.com/umd-lib/archelon
- https://github.com/ytojima/devise_omniauth-google-oauth2_sample