Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13ZjVwLWc2dnctcmh4eM4AA2_y
Axios Cross-Site Request Forgery Vulnerability
An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.
Permalink: https://github.com/advisories/GHSA-wf5p-g6vw-rhxxJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13ZjVwLWc2dnctcmh4eM4AA2_y
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 20 days ago
Updated: 12 days ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Identifiers: GHSA-wf5p-g6vw-rhxx, CVE-2023-45857
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-45857
- https://github.com/axios/axios/issues/6006
- https://github.com/axios/axios/issues/6022
- https://github.com/axios/axios/pull/6028
- https://github.com/axios/axios/commit/96ee232bd3ee4de2e657333d4d2191cd389e14d0
- https://github.com/axios/axios/releases/tag/v1.6.0
- https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459
- https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
Affected Packages
npm:axios
Versions: >= 0.8.1, < 1.6.0Fixed in: 1.6.0