rails_admin ruby gem <v1.1.1 is vulnerable to cross-site request forgery (CSRF) attacks. Non-GET methods were not validating CSRF tokens and, as a result, an attacker could hypothetically gain access to the application administrative endpoints exposed by the gem.

References

• https://nvd.nist.gov/vuln/detail/CVE-2016-10522
• GHSA-pxqr-8v54-m2hj
• https://www.sourceclear.com/registry/security/cross-site-request-forgery-csrf-/ruby/sid-3173
• https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails_admin/CVE-2016-10522.yml
• railsadminteam/rails_admin@b13e879