Cross-site Request Forgery (CSRF) Affecting droppy package, versions <3.5.0
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Cross-site Request Forgery (CSRF) vulnerabilities in an interactive lesson.
Start learning- Snyk IDnpm:droppy:20160328
- published29 Mar 2016
- disclosed28 Mar 2016
- creditCraig Arendt
Introduced: 28 Mar 2016
CVE-2016-10529 (opens in a new tab)How to fix?
Upgrade to version 3.5.0 or greater.
Overview
droopy prior to 3.5.0 lacks cross-domain websocket requests verification. This allows attackers to send malicious requests while inheriting the identity and privileges of the currently logged in user.
Details
Cross-site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application. [1]