CVE-2022-39287

Опубликовано: 07 окт. 2022

Источник: nvd

CVSS3: 8.1

CVSS3: 6.5

EPSS Низкий

Описание

tiny-csrf is a Node.js cross site request forgery (CSRF) protection middleware. In versions prior to 1.1.0 cookies were not encrypted and thus CSRF tokens were transmitted in the clear. This issue has been addressed in commit 8eead6d and the patch with be included in version 1.1.0. Users are advised to upgrade. There are no known workarounds for this issue.

Ссылки

https://github.com/valexandersaulys/tiny-csrf/commit/8eead6da3b56e290512bbe8d20c2c5df3be317ba
Patch
Third Party Advisory
https://github.com/valexandersaulys/tiny-csrf/security/advisories/GHSA-pj2c-h76w-vv6f
Third Party Advisory
https://github.com/valexandersaulys/tiny-csrf/commit/8eead6da3b56e290512bbe8d20c2c5df3be317ba
Patch
Third Party Advisory
https://github.com/valexandersaulys/tiny-csrf/security/advisories/GHSA-pj2c-h76w-vv6f
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:tiny-csrf_project:tiny-csrf:*:*:*:*:*:node.js:*:*

Версия до 1.1.0 (исключая)

EPSS

Процентиль: 35%

0.00148

Низкий

8.1 High

CVSS3

6.5 Medium

CVSS3

Дефекты

CWE-319

Связанные уязвимости

GHSA-pj2c-h76w-vv6f

CVSS3: 8.1

github

больше 3 лет назад

tiny-csrf has openly visible CSRF tokens

EPSS

Процентиль: 35%

0.00148

Низкий

8.1 High

CVSS3

6.5 Medium

CVSS3

Дефекты

CWE-319