{"id":"CVE-2016-10522","details":"rails_admin ruby gem \u003cv1.1.1 is vulnerable to cross-site request forgery (CSRF) attacks. Non-GET methods were not validating CSRF tokens and, as a result, an attacker could hypothetically gain access to the application administrative endpoints exposed by the gem.","aliases":["GHSA-pxqr-8v54-m2hj"],"modified":"2026-05-18T12:00:06.582344665Z","published":"2018-07-05T16:29:00.250Z","database_specific":{},"references":[{"type":"FIX","url":"https://github.com/sferik/rails_admin/commit/b13e879eb93b661204e9fb5e55f7afa4f397537a"},{"type":"FIX","url":"https://www.sourceclear.com/blog/Rails_admin-Vulnerability-Disclosure/"},{"type":"FIX","url":"https://www.sourceclear.com/registry/security/cross-site-request-forgery-csrf-/ruby/sid-3173"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/railsadminteam/rails_admin","events":[{"introduced":"0"},{"fixed":"ae2962ca9e2e229589e5f6a80a03bca72cf18312"},{"fixed":"b13e879eb93b661204e9fb5e55f7afa4f397537a"}],"database_specific":{"source":["CPE_FIELD","REFERENCES"],"cpe":"cpe:2.3:a:rails_admin_project:rails_admin:*:*:*:*:*:ruby:*:*","extracted_events":[{"introduced":"0"},{"fixed":"1.1.1"}]}}],"versions":["v1.1.0","v1.0.0","v1.0.0.rc","v0.8.1","v0.8.0","v0.7.0","v0.6.8","v0.6.7","v0.6.6","v0.6.5","v0.6.4","v0.6.3","v0.6.2","v0.6.1","v0.6.0","v0.5.0","v0.4.9","v0.4.8","v0.4.7","v0.4.6","v0.4.5","v0.4.3","v0.4.2","v0.4.1","v0.4.0","v0.0.5","v0.0.4","v0.0.3","v0.0.2","v0.0.1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-10522.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}