Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXZwdzUtZ3J4eC12Mzk2
CSRF token exposure in TYPO3 extension
When using the CsrfTokenViewHelper the extension discloses the user's session identifier to HTML output without processing of additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in combination with a chained attack - like for instance Cross Site Scripting in the frontend output.
Permalink: https://github.com/advisories/GHSA-vpw5-grxx-v396JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXZwdzUtZ3J4eC12Mzk2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 3 years ago
Updated: almost 2 years ago
CVSS Score: 6.3
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N/E:F/RL:O/RC:C
Identifiers: GHSA-vpw5-grxx-v396, CVE-2021-36793
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-36793
- https://typo3.org/security/advisory/typo3-ext-sa-2021-008
- https://github.com/advisories/GHSA-vpw5-grxx-v396
Affected Packages
packagist:lms/routes
Dependent packages: 1Dependent repositories: 2
Downloads: 94,495 total
Affected Version Ranges: < 2.1.1
Fixed in: 2.1.1
All affected versions: 1.3.3, 1.4.0, 1.4.1, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.10, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.7.0, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 1.8.6, 1.8.7, 2.0.0, 2.1.0
All unaffected versions: 2.1.1, 3.0.0