CVE-2013-0233

Devise <1.5.4, <2.0.5, <2.1.3, <2.2.3 - Unauthenticated Security Bypass

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2013-0233. PoCs published by joernchen, jjarmoc, including Metasploit module auxiliary/admin/http/rails_devise_pass_reset.

AI-analyzed exploit summary This Metasploit module exploits a type confusion vulnerability in the Devise authentication gem for Ruby on Rails, allowing password resets for arbitrary accounts by manipulating XML input to influence the reset_password_token parameter type.

Description

Devise gem 2.2.x before 2.2.3, 2.1.x before 2.1.3, 2.0.x before 2.0.5, and 1.5.x before 1.5.4 for Ruby, when using certain databases, does not properly perform type conversion when performing database queries, which might allow remote attackers to cause incorrect results to be returned and bypass security checks via unknown vectors, as demonstrated by resetting passwords of arbitrary accounts.

Exploits (1)

metasploit WORKING POC

by joernchen, jjarmoc · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/http/rails_devise_pass_reset.rb

View Code ZIP pw:eip

This Metasploit module exploits a type confusion vulnerability in the Devise authentication gem for Ruby on Rails, allowing password resets for arbitrary accounts by manipulating XML input to influence the reset_password_token parameter type.

Classification

Working Poc 100%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Devise < v2.2.3, 2.1.3, 2.0.5 and 1.5.4 (excluding PostgreSQL or SQLite3 backends)

No auth needed

Prerequisites: knowledge of the target email address · access to the password reset endpoint

MITRE ATT&CK