CVE-2020-8166

Advisory lineage Upstream: 0 Downstream: 12

Downstream

DEBIAN-CVE-2020-8166 DSA-4766-1 OPENSUSE-SU-2020:1993-1 OPENSUSE-SU-2020:2000-1 OPENSUSE-SU-2024:10589-1 OPENSUSE-SU-2024:11821-1

Modified

Published: 02 Jul 2020, 18:35

Last modified:28 Apr 2026, 15:45

Vulnerability Summary

Overall Risk (default)

medium

27/100

CVSS Score

4.3 MEDIUM

v3.1 (nvd)

EPSS Score

0.44% LOW

0% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

1 found

Dark Web

Not detected

Timeline

02 Jul 2020, 18:35

Published

Vulnerability first disclosed

28 Apr 2026, 15:45

Last Modified

Vulnerability information updated

Description

A CSRF forgery vulnerability exists in rails < 5.2.5, rails < 6.0.4 that makes it possible for an attacker to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token.

CVSS Metrics

v3.1•MEDIUM•Score: 4.3CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
v2.0•MEDIUM•Score: 4.3AV:N/AC:M/Au:N/C:N/I:P/A:N

EPSS Trends

Current EPSS score: 0.44%• Percentile: 64%

Techniques & Countermeasures

CWE-352•Cross-Site Request Forgery (CSRF)
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Affected Systems

debian•debian_linux
10.0
rubyonrails•rails
< 5.2.4.3 | ≥ 6.0.0, < 6.0.3.1