Vulnerability	Vulnerable Version
H Cross-site Request Forgery (CSRF) org.pac4j:pac4j-core is a pac4j is an easy and powerful security engine for Java to authenticate users, get their profiles and manage authorizations in order to secure web applications and web services. Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) due to deterministic calculations in the `String.hashCode()` function. An attacker can perform unauthorized profile updates, password changes, account linking, and other state-changing actions by submitting a forged request with a token whose hash collides with the legitimate CSRF token. The attacker does not need to possess the legitimate token or its hash before the attack. How to fix Cross-site Request Forgery (CSRF)? Upgrade `org.pac4j:pac4j-core` to version 5.7.10, 6.4.1 or higher.	[5.0.0-RC1,5.7.10)[6.0.0-RC1,6.4.1)

Cross-site Request Forgery (CSRF)

org.pac4j:pac4j-core is a pac4j is an easy and powerful security engine for Java to authenticate users, get their profiles and manage authorizations in order to secure web applications and web services.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) due to deterministic calculations in the String.hashCode() function. An attacker can perform unauthorized profile updates, password changes, account linking, and other state-changing actions by submitting a forged request with a token whose hash collides with the legitimate CSRF token. The attacker does not need to possess the legitimate token or its hash before the attack.

How to fix Cross-site Request Forgery (CSRF)?

Upgrade org.pac4j:pac4j-core to version 5.7.10, 6.4.1 or higher.

[5.0.0-RC1,5.7.10)[6.0.0-RC1,6.4.1)

Go back to all versions of this package