Lucene search
K

5 matches found

vulnersOsv
vulnersOsv
added 2023/04/20 9:18 p.m.7 views

@flowforge/flowforge (>=0.9.0 <=0.10.0), schwing (>=0.2.14 <=0.2.26) potentially affected by CVE-2021-29624 +1 more via @fastify/csrf-protection (=5.1.0)

@fastify/csrf-protection NPM version =5.1.0 is affected by a known vulnerability. The following packages have a transitive dependency on @fastify/csrf-protection and may be impacted: - @flowforge/flowforge =0.9.0, =0.2.14, =0.2.26 Source cves: CVE-2021-29624, CVE-2023-27495 Source advisory:...

6.5CVSS6.5AI score0.00829EPSS
Exploits0
OSV
OSV
added 2023/04/20 9:18 p.m.63 views

GHSA-QRGF-9GPC-VRXW Bypass of CSRF protection in the presence of predictable userInfo

Description The CSRF protection enforced by the @fastify/csrf-protection library in combination with @fastify/cookie can be bypassed from network and same-site attackers under certain conditions. @fastify/csrf-protection supports an optional userInfo parameter that binds the CSRF token to the use...

5.3CVSS5.7AI score0.00829EPSS
Exploits0References8
Cvelist
Cvelist
added 2021/05/19 9:15 p.m.50 views

CVE-2021-29624 Lack of protection against cookie tossing attacks in fastify-csrf

fastify-csrf is an open-source plugin helps developers protect their Fastify server against CSRF attacks. Versions of fastify-csrf prior to 3.1.0 have a "double submit" mechanism using cookies with an application deployed across multiple subdomains, e.g. "heroku"-style platform as a service...

6.5CVSS6AI score0.00829EPSS
Exploits0References6
Node.js
Node.js
added 2021/05/17 8:54 p.m.69 views

cookie tossing attack

Overview Users that used fastify-csrf with the "double submit" mechanism using cookies with an application deployed across multiple subdomains, e.g. "heroku"-style platform as a service. Recommendation Upgrade to version 3.1.0 or later References - CVE - GitHub Advisory...

4.3CVSS2AI score0.00829EPSS
Exploits0Affected Software1
vulnersOsv
vulnersOsv
added 2021/05/17 8:53 p.m.9 views

@nodosjs/view-extension (=0.0.43) potentially affected by CVE-2021-29624 via fastify-csrf (=2.0.0)

fastify-csrf NPM version =2.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on fastify-csrf and may be impacted: - @nodosjs/view-extension =0.0.43 Source cves: CVE-2021-29624 Source advisory: OSV:GHSA-RC4Q-9M69-GQP8...

6.5CVSS6.5AI score0.00829EPSS
Exploits0
Rows per page
Query Builder