GSA_kwCzR0hTQS1wajJjLWg3NnctdnY2Zs4AAvNW

High EPSS: 0.00148% (0.35879 Percentile) EPSS:

Permalink JSON

tiny-csrf has openly visible CSRF tokens

Affected Packages	Affected Versions	Fixed Versions
npm:tiny-csrf PURL: `pkg:npm/tiny-csrf`	< 1.1.0	1.1.0
1 Dependent packages 67 Dependent repositories 4,356 Downloads last month Affected Version Ranges All affected versions 1.0.0, 1.0.1, 1.0.2, 1.0.3 All unaffected versions 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6

Impact

Weak encryption on CSRF so tokens can be read by malicious attackers.

Patches

Problems have been patched as of v1.1.0

Workarounds

Upgrade to v1.1.0

References

https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html

For more information

Submit an issue at the github repo

References:

Identifiers

GHSA-pj2c-h76w-vv6f

CVE-2022-39287

Risk

Severity

High

EPSS

EPSS Percentage: 0.00148

EPSS Percentile: 0.35879

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/valexandersaulys/tiny-csrf

Date and time

Published

about 3 years ago

Updated

20 days ago

API

JSON

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories