No CSRF Validation in droppy

Description

Affected versions of droppy are vulnerable to cross-site socket forgery. The package does not perform verification for cross-domain websocket requests, and as a result, an attacker can create a web page that opens up a websocket connection on behalf of the user visiting the page. The attacker can then perform any action that the target user could, including adding a new admin account under their control, or deleting others.

Recommendation

Update to version 3.5.0 or later.

Basic information

Type
reviewed
Severity
high
Advisory on GitHub
Open advisory ↗
Repository advisory
Source code
Not specified
Published (advisory)
2019-02-18 23:39:32 UTC
Updated
2023-01-09 05:03:14 UTC
GitHub reviewed
2020-06-16 21:55:03 UTC

EPSS Score

Score Percentile
0.13% 33.47%

CVSS Scores

No CVSS scores in this advisory.

Identifiers

CWEs

CWE id Name
CWE-352 Cross-Site Request Forgery (CSRF)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
npm droppy < 3.5.0 3.5.0

References

cvelogic Threat Intelligence