You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We had run a scan after upgrading csrfguard library to version 4.3.0 and found below vulnerability with severity 5.4 .
It also reported that there is no non-vulnerable version of this component.
Explanation
The csrfguard package is vulnerable to Cross-Site Request Forgery (CSRF). The isValidUrl method in csrfguard.js uses an insecure string-matching technique. Consequently, an attacker could exploit this vulnerability to cause tokens to leak in links to external (attacker-controlled) domains.
We had run a scan after upgrading csrfguard library to version 4.3.0 and found below vulnerability with severity 5.4 .
It also reported that there is no non-vulnerable version of this component.
Explanation
The csrfguard package is vulnerable to Cross-Site Request Forgery (CSRF). The isValidUrl method in csrfguard.js uses an insecure string-matching technique. Consequently, an attacker could exploit this vulnerability to cause tokens to leak in links to external (attacker-controlled) domains.
Version Affected
[3.1.0,4.4.0]
CVSS Details
Sonatype CVSS 3 : 5.4
CVSS Vector : CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
The text was updated successfully, but these errors were encountered: