6 matches found
Cross-Site Request Forgery (CSRF)
Overview Affected versions of the fastify-csrf package are vulnerable to Cross-site Request Forgery CSRF. The generated cookie used insecure defaults, and did not have the httpOnly flag on: cookieOpts: path: '/', sameSite: true . Also, the CSRF token was available in the GET query parameter...
@nodosjs/view-extension (=0.0.43) potentially affected by CVE-2020-28482 via fastify-csrf (=2.0.0)
fastify-csrf NPM version =2.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on fastify-csrf and may be impacted: - @nodosjs/view-extension =0.0.43 Source cves: CVE-2020-28482 Source advisory: OSV:GHSA-49WP-QQ6X-G2RF...
CVE-2020-28482
creationtimestamp| type| source ---|---|--- 2021-01-19 18:56:04+00:00| seen| https://t.me/cibsecurity/22267...
CVE-2020-28482
This affects the package fastify-csrf before 3.0.0. 1. The generated cookie used insecure defaults, and did not have the httpOnly flag on: cookieOpts: path: '/', sameSite: true 2. The CSRF token was available in the GET query parameter...
CVE-2020-28482 Cross-site Request Forgery (CSRF)
This affects the package fastify-csrf before 3.0.0. 1. The generated cookie used insecure defaults, and did not have the httpOnly flag on: cookieOpts: path: '/', sameSite: true 2. The CSRF token was available in the GET query parameter...
CVE-2020-28482
CVE-2020-28482 affects the npm package fastify-csrf prior to 3.0.0. The issues: (1) the generated cookie uses insecure defaults and lacks the httpOnly flag (cookieOpts: { path: '/', sameSite: true }), and (2) the CSRF token is exposed in the GET query parameter. This weakens CSRF protections and ...