clockwork_web is vulnerable to Cross-Site Request Forgery (CSRF). The vulnerability exists in the protect_from_forgery
function in home_controller.rb
, which allows an attacker to manipulate the actions of authenticated users by tricking them into clicking on a malicious link or visiting a malicious website while they are logged in, and perform actions on behalf of the victim, such as creating or modifying attributes. Note that clockwork_web is only vulnerable with rails
< 5.2.