Описание
tiny-csrf has openly visible CSRF tokens
Impact
Weak encryption on CSRF so tokens can be read by malicious attackers.
Patches
Problems have been patched as of v1.1.0
Workarounds
Upgrade to v1.1.0
References
For more information
Submit an issue at the github repo
Пакеты
Наименование
tiny-csrf
npm
Затронутые версииВерсия исправления
< 1.1.0
1.1.0
Связанные уязвимости
CVSS3: 8.1
nvd
больше 3 лет назад
tiny-csrf is a Node.js cross site request forgery (CSRF) protection middleware. In versions prior to 1.1.0 cookies were not encrypted and thus CSRF tokens were transmitted in the clear. This issue has been addressed in commit `8eead6d` and the patch with be included in version 1.1.0. Users are advised to upgrade. There are no known workarounds for this issue.