8.1

CVE-2022-39287

EPSS 0.15%
Veröffentlicht 07.10.2022 20:15:15
Zuletzt bearbeitet 21.11.2024 07:17:57
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

tiny-csrf is a Node.js cross site request forgery (CSRF) protection middleware. In versions prior to 1.1.0 cookies were not encrypted and thus CSRF tokens were transmitted in the clear. This issue has been addressed in commit `8eead6d` and the patch with be included in version 1.1.0. Users are advised to upgrade. There are no known workarounds for this issue.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Tiny-csrf Project ≫ Tiny-csrf SwPlatformnode.js Version < 1.1.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.15%	0.359

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
security-advisories@github.com	8.1	2.8	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CWE-319 Cleartext Transmission of Sensitive Information

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

https://github.com/valexandersaulys/tiny-csrf/commit/8eead6da3b56e290512bbe8d20c2c5df3be317ba

Patch

Third Party Advisory

https://github.com/valexandersaulys/tiny-csrf/security/advisories/GHSA-pj2c-h76w-vv6f

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-39287

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-39287

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-39287

EUVD