CVE Vulnerability

CVE-2022-39287

tiny-csrf is a Node.js cross site request forgery (CSRF) protection middleware. In versions prior to 1.1.0 cookies were not encrypted and thus CSRF tokens were transmitted in the clear. This issue has been addressed in commit `8eead6d` and the patch with be included in version 1.1.0. Users are advised to upgrade. There are no known workarounds for this issue.

6.5 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/valexandersaulys/tiny-csrf/security/advisories/GHSA-pj2c-h76w-vv6f Third Party Advisory
https://github.com/valexandersaulys/tiny-csrf/commit/8eead6da3b56e290512bbe8d20c2c5df3be317ba Patch Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:tiny-csrf_project:tiny-csrf:*:*:*:*:*:node.js:*:*
Information

Published : 2022-10-07 08:15

Updated : 2022-10-11 01:12

NVD link : CVE-2022-39287

Mitre link : CVE-2022-39287

Products Affected
No products.
CWE
CWE-319

Cleartext Transmission of Sensitive Information