Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1wajJjLWg3NnctdnY2Zs4AAvNW
tiny-csrf has openly visible CSRF tokens
Impact
Weak encryption on CSRF so tokens can be read by malicious attackers.
Patches
Problems have been patched as of v1.1.0
Workarounds
Upgrade to v1.1.0
References
For more information
Submit an issue at the github repo
Permalink: https://github.com/advisories/GHSA-pj2c-h76w-vv6fJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wajJjLWg3NnctdnY2Zs4AAvNW
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: almost 2 years ago
CVSS Score: 8.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS Percentage: 0.00122
EPSS Percentile: 0.47114
Identifiers: GHSA-pj2c-h76w-vv6f, CVE-2022-39287
References:
- https://github.com/valexandersaulys/tiny-csrf/security/advisories/GHSA-pj2c-h76w-vv6f
- https://github.com/valexandersaulys/tiny-csrf/commit/8eead6da3b56e290512bbe8d20c2c5df3be317ba
- https://nvd.nist.gov/vuln/detail/CVE-2022-39287
- https://github.com/advisories/GHSA-pj2c-h76w-vv6f
Blast Radius: 14.8
Affected Packages
npm:tiny-csrf
Dependent packages: 1Dependent repositories: 67
Downloads: 3,202 last month
Affected Version Ranges: < 1.1.0
Fixed in: 1.1.0
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3
All unaffected versions: 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4