Description
Versions prior to version v1.05 are affected by a CSRF vulnerability, as there is no CSRF mitigation (Tokens etc.). The fix introduced in version v1.05 unintentionally breaks uploading so version v1.0.7 is the fixed version.
This is patched by implementing Double submit.
Recommendation
Update the save-server package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.0.5
- Patched version(s): 1.0.7
References
Related Issues
- Firebase vulnerable to CRSF attack - CVE-2024-4128
- Cube API denial of service attack - CVE-2023-50709
- Prototype Pollution in protobufjs - CVE-2022-25878
- Cross-Site Scripting in highcharts - Vulnerability
- Tags:
- npm
- save-server
Anything's wrong? Let us know Last updated on January 09, 2023