CVE-2022-39287

EPSS 0.39%
Veröffentlicht 07.10.2022 20:15:15
Zuletzt bearbeitet 21.11.2024 07:17:57
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Plaintext transmission of CSRF tokens in tiny-csrf

tiny-csrf is a Node.js cross site request forgery (CSRF) protection middleware. In versions prior to 1.1.0 cookies were not encrypted and thus CSRF tokens were transmitted in the clear. This issue has been addressed in commit `8eead6d` and the patch with be included in version 1.1.0. Users are advised to upgrade. There are no known workarounds for this issue.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Tiny-csrf Project ≫ Tiny-csrf SwPlatformnode.js Version < 1.1.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.39%	0.308

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
security-advisories@github.com	8.1	2.8	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CWE-319 Cleartext Transmission of Sensitive Information

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

https://github.com/valexandersaulys/tiny-csrf/commit/8eead6da3b56e290512bbe8d20c2c5df3be317ba

Patch

Third Party Advisory

https://github.com/valexandersaulys/tiny-csrf/security/advisories/GHSA-pj2c-h76w-vv6f

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-39287

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-39287

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-39287

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2022-39287