Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-b464-j8ja-hke6
Vulnerability ID VCID-b464-j8ja-hke6
Aliases CVE-2008-7248
GHSA-8fqx-7pv4-3jwm
Summary Improper Input Validation Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify tokens for requests with certain content types, which allows remote attackers to bypass cross-site request forgery (CSRF) protection for requests to applications that rely on this protection, as demonstrated using text/plain.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-20 Improper Input Validation
CWE-352 Cross-Site Request Forgery (CSRF)
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
generic_textual MODERATE http://groups.google.com/group/rubyonrails-security/browse_thread/thread/d741ee286e36e301?hl=en
generic_textual MODERATE http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html
generic_textual MODERATE http://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup
generic_textual MODERATE https://access.redhat.com/security/cve/CVE-2008-7248
epss 0.11409 https://api.first.org/data/v1/epss?cve=CVE-2008-7248
generic_textual MODERATE https://bugzilla.redhat.com/show_bug.cgi?id=544329
generic_textual MODERATE https://github.com/rails/rails
generic_textual MODERATE https://github.com/rails/rails/commit/099a98e9b7108dae3e0f78b207e0a7dc5913bd1a
generic_textual MODERATE https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2008-7248.yml
generic_textual MODERATE https://groups.google.com/group/rubyonrails-security/browse_thread/thread/d741ee286e36e301?hl=en
generic_textual MODERATE https://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2008-7248
generic_textual MODERATE https://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup
generic_textual MODERATE https://web.archive.org/web/20090906010200/https://www.vupen.com/english/advisories/2009/2544
generic_textual MODERATE https://weblog.rubyonrails.org/2008/11/18/potential-circumvention-of-csrf-protection-in-rails-2-1
generic_textual MODERATE https://www.openwall.com/lists/oss-security/2009/11/28/1
generic_textual MODERATE https://www.openwall.com/lists/oss-security/2009/12/02/2
generic_textual MODERATE https://www.rorsecurity.info/journal/2008/11/19/circumvent-rails-csrf-protection.html
generic_textual MODERATE http://weblog.rubyonrails.org/2008/11/18/potential-circumvention-of-csrf-protection-in-rails-2-1
generic_textual MODERATE http://www.openwall.com/lists/oss-security/2009/11/28/1
generic_textual MODERATE http://www.openwall.com/lists/oss-security/2009/12/02/2
Reference id Reference type URL
http://groups.google.com/group/rubyonrails-security/browse_thread/thread/d741ee286e36e301?hl=en
http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html
http://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup
http://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup/
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2008-7248.json
https://api.first.org/data/v1/epss?cve=CVE-2008-7248
https://bugzilla.redhat.com/show_bug.cgi?id=544329
http://secunia.com/advisories/36600
http://secunia.com/advisories/38915
https://github.com/rails/rails
https://github.com/rails/rails/commit/099a98e9b7108dae3e0f78b207e0a7dc5913bd1a
https://groups.google.com/group/rubyonrails-security/browse_thread/thread/d741ee286e36e301?hl=en
https://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html
https://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup
https://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup/
https://web.archive.org/web/20090906010200/https://www.vupen.com/english/advisories/2009/2544
https://weblog.rubyonrails.org/2008/11/18/potential-circumvention-of-csrf-protection-in-rails-2-1
https://www.openwall.com/lists/oss-security/2009/11/28/1
https://www.openwall.com/lists/oss-security/2009/12/02/2
https://www.rorsecurity.info/journal/2008/11/19/circumvent-rails-csrf-protection.html
http://weblog.rubyonrails.org/2008/11/18/potential-circumvention-of-csrf-protection-in-rails-2-1
http://www.openwall.com/lists/oss-security/2009/11/28/1
http://www.openwall.com/lists/oss-security/2009/12/02/2
http://www.rorsecurity.info/journal/2008/11/19/circumvent-rails-csrf-protection.html
http://www.vupen.com/english/advisories/2009/2544
558685 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=558685
CVE-2008-7248 https://access.redhat.com/security/cve/CVE-2008-7248
CVE-2008-7248 https://nvd.nist.gov/vuln/detail/CVE-2008-7248
CVE-2008-7248;OSVDB-61124 Exploit https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/linux/remote/33402.txt
CVE-2008-7248;OSVDB-61124 Exploit https://www.securityfocus.com/bid/37322/info
CVE-2008-7248.YML https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2008-7248.yml
GHSA-8fqx-7pv4-3jwm https://github.com/advisories/GHSA-8fqx-7pv4-3jwm
GLSA-200912-02 https://security.gentoo.org/glsa/200912-02
Data source Exploit-DB
Date added Dec. 14, 2009
Description Ruby on Rails 2.3.5 - 'protect_from_forgery' Cross-Site Request Forgery
Ransomware campaign use Known
Source publication date Dec. 14, 2009
Exploit type remote
Platform linux
Source update date May 18, 2014
Source URL https://www.securityfocus.com/bid/37322/info
Exploit Prediction Scoring System (EPSS)
Percentile 0.93707
EPSS Score 0.11409
Published At June 4, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-02T04:37:14.627435+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/actionpack/CVE-2008-7248.yml 38.6.0