Описание
Qwik City CSRF protection middleware does not work properly for content type header with parameters (eg. multipart/form-data)
Summary
A typo in the regular expression within isContentType causes incorrect parsing of certain Content-Type headers.
Impact
An attacker can bypass Qwik City’s Origin-based CSRF protections and perform forged form submissions, potentially causing unauthorized state changes.
Пакеты
Наименование
@builder.io/qwik-city
npm
Затронутые версииВерсия исправления
< 1.12.0
1.12.0
Связанные уязвимости
CVSS3: 5.9
nvd
3 дня назад
Qwik is a performance focused javascript framework. Prior to version 1.12.0, a typo in the regular expression within isContentType causes incorrect parsing of certain Content-Type headers. This issue has been patched in version 1.12.0.
CVSS3: 5.9
debian
3 дня назад
Qwik is a performance focused javascript framework. Prior to version 1 ...