exploitDog

CVE-2016-10529

Опубликовано: 31 мая 2018

Источник: nvd

CVSS3: 8.8

CVSS2: 6.8

EPSS Низкий

Описание

Droppy versions <3.5.0 does not perform any verification for cross-domain websocket requests. An attacker is able to make a specially crafted page that can send requests as the context of the currently logged in user. For example this means the malicious user could add a new admin account under his control and delete others.

Ссылки

https://nodesecurity.io/advisories/91
Third Party Advisory
https://nodesecurity.io/advisories/91
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:droppy_project:droppy:*:*:*:*:*:node.js:*:*

Версия до 3.5.0 (исключая)

EPSS

Процентиль: 33%

0.00134

Низкий

8.8 High

CVSS3

6.8 Medium

CVSS2

Дефекты

CWE-352

CWE-352

Связанные уязвимости

GHSA-rhvc-x32h-5526

github

почти 7 лет назад

No CSRF Validation in droppy

EPSS

Процентиль: 33%

0.00134

Низкий

8.8 High

CVSS3

6.8 Medium

CVSS2

Дефекты

CWE-352

CWE-352