Cross-site Request Forgery (CSRF)
CVE-2020-28482

5.9MEDIUM

Key Information:

Vendor: Fastify
Status: Fastify-csrf
Vendor: CVE Published:; 19 January 2021

What is CVE-2020-28482?

This affects the package fastify-csrf before 3.0.0. 1. The generated cookie used insecure defaults, and did not have the httpOnly flag on: cookieOpts: { path: '/', sameSite: true } 2. The CSRF token was available in the GET query parameter

Affected Version(s)

fastify-csrf < 3.0.0

References

https://snyk.io/vuln/SNYK-JS-FASTIFYCSRF-1062044

x_refsource_MISC

https://github.com/fastify/fastify-csrf/pull/26

x_refsource_MISC

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 19, 2021
Vulnerability Reserved
Nov 12, 2020

Credit

Matteo Collina

CVE-2020-28482 Data

JSON

Fastify

What is CVE-2020-28482?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit