Lucene search

K
githubGitHub Advisory DatabaseGHSA-PJ2C-H76W-VV6F
HistoryOct 07, 2022 - 9:23 p.m.

tiny-csrf has openly visible CSRF tokens

2022-10-0721:23:18
CWE-319
GitHub Advisory Database
github.com
15
csrf tokens
weak encryption
patched
upgrade
owasp
github repository

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

EPSS

0.001

Percentile

48.7%

Impact

Weak encryption on CSRF so tokens can be read by malicious attackers.

Patches

Problems have been patched as of v1.1.0

Workarounds

Upgrade to v1.1.0

References

https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html

For more information

Submit an issue at the github repo

Affected configurations

Vulners
Node
tiny-csrf_projecttiny-csrfRange<1.1.0node.js
VendorProductVersionCPE
tiny-csrf_projecttiny-csrf*cpe:2.3:a:tiny-csrf_project:tiny-csrf:*:*:*:*:*:node.js:*:*

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

EPSS

0.001

Percentile

48.7%

Related for GHSA-PJ2C-H76W-VV6F