Vulnerabilities > CVE-2022-39287 - Unspecified vulnerability in Tiny-Csrf Project Tiny-Csrf

CVSS 6.5 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

network

low complexity

tiny-csrf-project

NVD

Published: 2022-10-07

Updated: 2024-11-21

Summary

tiny-csrf is a Node.js cross site request forgery (CSRF) protection middleware. In versions prior to 1.1.0 cookies were not encrypted and thus CSRF tokens were transmitted in the clear. This issue has been addressed in commit `8eead6d` and the patch with be included in version 1.1.0. Users are advised to upgrade. There are no known workarounds for this issue.

Vulnerable Configurations

Part	Description	Count
Application	Tiny-Csrf_Project Tiny Csrf Project Tiny Csrf 1.0.0 Tiny Csrf Project Tiny Csrf 1.0.1 Tiny Csrf Project Tiny Csrf 1.0.2 Tiny Csrf Project Tiny Csrf 1.0.3	4

References

https://github.com/valexandersaulys/tiny-csrf/commit/8eead6da3b56e290512bbe8d20c2c5df3be317ba
https://github.com/valexandersaulys/tiny-csrf/commit/8eead6da3b56e290512bbe8d20c2c5df3be317ba
https://github.com/valexandersaulys/tiny-csrf/security/advisories/GHSA-pj2c-h76w-vv6f
https://github.com/valexandersaulys/tiny-csrf/security/advisories/GHSA-pj2c-h76w-vv6f