You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Devise's :registerable module allows users to register themselves.
If the :registerable module is incorrectly setup for staff/admin scope, then you may be allowing attackers to register themselves as staff/admin users.
The attackers may be able to HTTP POST to the Devise::RegistrationsController#create controller action and create users this way.
Where to start looking?
Search for registerable usage in app/models and sub directories
Search for registrations#create in the output from bin/rails routes
There is a valid use for :registerable, but only for user scopes that should be able to register themselves. On a public facing web site, this would be typically used for visitors who want to sign up for their own account.
The text was updated successfully, but these errors were encountered:
Devise's
:registerablemodule allows users to register themselves.If the
:registerablemodule is incorrectly setup for staff/admin scope, then you may be allowing attackers to register themselves as staff/admin users.The attackers may be able to HTTP POST to the
Devise::RegistrationsController#createcontroller action and create users this way.Where to start looking?
registerableusage inapp/modelsand sub directoriesregistrations#createin the output frombin/rails routesThere is a valid use for
:registerable, but only for user scopes that should be able to register themselves. On a public facing web site, this would be typically used for visitors who want to sign up for their own account.The text was updated successfully, but these errors were encountered: