CVE-2007-5380

Description

Session fixation vulnerability in Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers to hijack web sessions via unspecified vectors related to "URL-based sessions."

How to fix CVE-2007-5380

To remediate CVE-2007-5380, upgrade the affected package to a fixed version below.

• Debian/rails—upgrade to 1.2.5-1 or later
• RubyGems/rails—upgrade to 1.2.4 or later

Is CVE-2007-5380 being exploited?

Moderate — EPSS is 6.1%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (2)

• from 0, < 1.2.5-1
• from 0, < 1.2.4

References (18)

• ADVISORYgithub.com/advisories/GHSA-jwhv-rgqc-fqj5
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2007-5380
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2007-5380
• PATCHgithub.com/rails/rails
• WEBbugs.gentoo.org