Vulnerability	Vulnerable Version
L Cross-site Request Forgery (CSRF) Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) which can occur because the CSRF cookie may be retrieved by using only a session token. Note: CSRFGuard uses headers which don't retrieve a CSRF cookie. token-per-page can be used with token rotation, which would assign unique, single-use tokens for each secured page. Validation of referrer headers could be done. In order to bypass these validations, incorrect CSP/CORS rules along with a separate XSS vulnerability must be used. How to fix Cross-site Request Forgery (CSRF)? Upgrade `org.owasp:csrfguard` to version 4.0.0 or higher.	[0,4.0.0)

Cross-site Request Forgery (CSRF)

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) which can occur because the CSRF cookie may be retrieved by using only a session token.

Note:

CSRFGuard uses headers which don't retrieve a CSRF cookie.
token-per-page can be used with token rotation, which would assign unique, single-use tokens for each secured page.
Validation of referrer headers could be done.

In order to bypass these validations, incorrect CSP/CORS rules along with a separate XSS vulnerability must be used.

How to fix Cross-site Request Forgery (CSRF)?

Upgrade org.owasp:csrfguard to version 4.0.0 or higher.

[0,4.0.0)

Go back to all versions of this package