Lucene search
+L

31 matches found

Github Security Blog
Github Security Blog
added 2021/05/17 8:53 p.m.57 views

Lack of protection against cookie tossing attacks in fastify-csrf

Impact Users that used fastify-csrf with the "double submit" mechanism using cookies with an application deployed across multiple subdomains, e.g. "heroku"-style platform as a service. Patches Version 3.1.0 of the fastify-csrf fixes it. See https://github.com/fastify/fastify-csrf/pull/51 and...

6.5CVSS0.2AI score0.00829EPSS
Exploits0References8Affected Software1
Positive Technologies
Positive Technologies
added 2021/05/17 12:0 a.m.7 views

PT-2021-18374 · Unknown · Fastify-Csrf

Name of the Vulnerable Software and Affected Versions: fastify-csrf versions prior to 3.1.0 Description: The issue affects applications using the fastify-csrf plugin with the "double submit" mechanism, particularly those deployed across multiple subdomains. To fully implement protection, users of...

6.5CVSS6.3AI score0.00829EPSS
Exploits0References21
Node.js
Node.js
added 2021/02/22 5:29 p.m.72 views

Cross-Site Request Forgery (CSRF)

Overview Affected versions of the fastify-csrf package are vulnerable to Cross-site Request Forgery CSRF. The generated cookie used insecure defaults, and did not have the httpOnly flag on: cookieOpts: path: '/', sameSite: true . Also, the CSRF token was available in the GET query parameter...

6.8CVSS2.3AI score0.0098EPSS
Exploits0Affected Software1
vulnersOsv
vulnersOsv
added 2021/01/20 9:30 p.m.10 views

@nodosjs/view-extension (=0.0.43) potentially affected by CVE-2020-28482 via fastify-csrf (=2.0.0)

fastify-csrf NPM version =2.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on fastify-csrf and may be impacted: - @nodosjs/view-extension =0.0.43 Source cves: CVE-2020-28482 Source advisory: OSV:GHSA-49WP-QQ6X-G2RF...

8.8CVSS7.2AI score0.0098EPSS
Exploits0
OSV
OSV
added 2021/01/20 9:30 p.m.52 views

GHSA-49WP-QQ6X-G2RF Cross-site Request Forgery in fastify-csrf

The package fastify-csrf before 3.0.0 has a set of issues that affect its ability to do CSRF protection. 1. The generated cookie used insecure defaults, and did not have the httpOnly flag on: cookieOpts: path: '/', sameSite: true 2. The CSRF token was available in the GET query parameter...

8.8CVSS8.6AI score0.0098EPSS
Exploits0References6
Github Security Blog
Github Security Blog
added 2021/01/20 9:30 p.m.35 views

Cross-site Request Forgery in fastify-csrf

The package fastify-csrf before 3.0.0 has a set of issues that affect its ability to do CSRF protection. 1. The generated cookie used insecure defaults, and did not have the httpOnly flag on: cookieOpts: path: '/', sameSite: true 2. The CSRF token was available in the GET query parameter...

8.8CVSS8.4AI score0.0098EPSS
Exploits0References6Affected Software1
NVD
NVD
added 2021/01/19 3:15 p.m.27 views

CVE-2020-28482

This affects the package fastify-csrf before 3.0.0. 1. The generated cookie used insecure defaults, and did not have the httpOnly flag on: cookieOpts: path: '/', sameSite: true 2. The CSRF token was available in the GET query parameter...

8.8CVSS6.6AI score0.0098EPSS
Exploits0References2
Prion
Prion
added 2021/01/19 3:15 p.m.16 views

Cross site request forgery (csrf)

This affects the package fastify-csrf before 3.0.0. 1. The generated cookie used insecure defaults, and did not have the httpOnly flag on: cookieOpts: path: '/', sameSite: true 2. The CSRF token was available in the GET query parameter...

6.8CVSS8.7AI score0.0098EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2021/01/19 2:50 p.m.29 views

CVE-2020-28482 Cross-site Request Forgery (CSRF)

This affects the package fastify-csrf before 3.0.0. 1. The generated cookie used insecure defaults, and did not have the httpOnly flag on: cookieOpts: path: '/', sameSite: true 2. The CSRF token was available in the GET query parameter...

5.9CVSS8.8AI score0.0098EPSS
Exploits0References2
CVE
CVE
added 2021/01/19 2:50 p.m.61 views

CVE-2020-28482

CVE-2020-28482 affects the npm package fastify-csrf prior to 3.0.0. The issues: (1) the generated cookie uses insecure defaults and lacks the httpOnly flag (cookieOpts: { path: '/', sameSite: true }), and (2) the CSRF token is exposed in the GET query parameter. This weakens CSRF protections and ...

8.8CVSS7.1AI score0.0098EPSS
Exploits0References2Affected Software1
Snyk
Snyk
added 2021/01/19 1:0 p.m.6 views

Cross-site Request Forgery (CSRF)

Overview fastify-csrf is an A plugin for adding CSRF protection to Fastify. Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF. The generated cookie used insecure defaults, and did not have the httpOnly flag on: cookieOpts: path: '/', sameSite: true . Also, the CS...

8.8CVSS6.9AI score0.0098EPSS
Exploits0References3
Rows per page
Query Builder