Search criteria
6 vulnerabilities found for droppy by droppy_project
FKIE_CVE-2020-7757
Vulnerability from fkie_nvd - Published: 2020-11-02 22:15 - Updated: 2024-11-21 05:37
Severity ?
Summary
This affects all versions of package droppy. It is possible to traverse directories to fetch configuration files from a droopy server.
References
| URL | Tags | ||
|---|---|---|---|
| report@snyk.io | https://github.com/silverwind/droppy/blob/master/server/server.js%23L845 | Broken Link, Third Party Advisory | |
| report@snyk.io | https://snyk.io/vuln/SNYK-JS-DROPPY-1023656 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/silverwind/droppy/blob/master/server/server.js%23L845 | Broken Link, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://snyk.io/vuln/SNYK-JS-DROPPY-1023656 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| droppy_project | droppy | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:droppy_project:droppy:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "643A12DD-184C-492B-8C12-761404530AA9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "This affects all versions of package droppy. It is possible to traverse directories to fetch configuration files from a droopy server."
},
{
"lang": "es",
"value": "Esto afecta a todas las versiones del paquete droppy.\u0026#xa0;Es posible saltar directorios para recuperar archivos de configuraci\u00f3n de un servidor droopy"
}
],
"id": "CVE-2020-7757",
"lastModified": "2024-11-21T05:37:44.683",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "report@snyk.io",
"type": "Secondary"
}
]
},
"published": "2020-11-02T22:15:13.487",
"references": [
{
"source": "report@snyk.io",
"tags": [
"Broken Link",
"Third Party Advisory"
],
"url": "https://github.com/silverwind/droppy/blob/master/server/server.js%23L845"
},
{
"source": "report@snyk.io",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://snyk.io/vuln/SNYK-JS-DROPPY-1023656"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Third Party Advisory"
],
"url": "https://github.com/silverwind/droppy/blob/master/server/server.js%23L845"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://snyk.io/vuln/SNYK-JS-DROPPY-1023656"
}
],
"sourceIdentifier": "report@snyk.io",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2016-10529
Vulnerability from fkie_nvd - Published: 2018-05-31 20:29 - Updated: 2024-11-21 02:44
Severity ?
Summary
Droppy versions <3.5.0 does not perform any verification for cross-domain websocket requests. An attacker is able to make a specially crafted page that can send requests as the context of the currently logged in user. For example this means the malicious user could add a new admin account under his control and delete others.
References
| URL | Tags | ||
|---|---|---|---|
| support@hackerone.com | https://nodesecurity.io/advisories/91 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://nodesecurity.io/advisories/91 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| droppy_project | droppy | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:droppy_project:droppy:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "1629CFF8-A569-48DE-B499-8064F26B4A6D",
"versionEndExcluding": "3.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Droppy versions \u003c3.5.0 does not perform any verification for cross-domain websocket requests. An attacker is able to make a specially crafted page that can send requests as the context of the currently logged in user. For example this means the malicious user could add a new admin account under his control and delete others."
},
{
"lang": "es",
"value": "Droppy en versiones anteriores a la 3.5.0 no realiza ning\u00fan tipo de verificaci\u00f3n para peticiones websocket Cross-Domain. Un atacante puede hacer una p\u00e1gina especialmente manipulada que puede enviar peticiones como el contexto del usuario que tiene la sesi\u00f3n iniciada actualmente. Por ejemplo, esto significa que el usuario malicioso podr\u00eda a\u00f1adir una nueva cuenta de administrador bajo su control, adem\u00e1s de eliminar otras."
}
],
"id": "CVE-2016-10529",
"lastModified": "2024-11-21T02:44:12.530",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-05-31T20:29:00.940",
"references": [
{
"source": "support@hackerone.com",
"tags": [
"Third Party Advisory"
],
"url": "https://nodesecurity.io/advisories/91"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://nodesecurity.io/advisories/91"
}
],
"sourceIdentifier": "support@hackerone.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "support@hackerone.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2020-7757 (GCVE-0-2020-7757)
Vulnerability from cvelistv5 – Published: 2020-11-02 18:30 – Updated: 2024-09-16 22:56
VLAI?
Title
Path Traversal
Summary
This affects all versions of package droppy. It is possible to traverse directories to fetch configuration files from a droopy server.
Severity ?
CWE
- Path Traversal
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Credits
Snyk Security Team
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:41:00.850Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JS-DROPPY-1023656"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/silverwind/droppy/blob/master/server/server.js%23L845"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "droppy",
"vendor": "n/a",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Snyk Security Team"
}
],
"datePublic": "2020-11-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "This affects all versions of package droppy. It is possible to traverse directories to fetch configuration files from a droopy server."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitCodeMaturity": "PROOF_OF_CONCEPT",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"remediationLevel": "UNAVAILABLE",
"reportConfidence": "CONFIRMED",
"scope": "UNCHANGED",
"temporalScore": 6.2,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:U/RC:C",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Path Traversal",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-02T18:30:15",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JS-DROPPY-1023656"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/silverwind/droppy/blob/master/server/server.js%23L845"
}
],
"title": "Path Traversal",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"DATE_PUBLIC": "2020-11-02T18:27:33.343489Z",
"ID": "CVE-2020-7757",
"STATE": "PUBLIC",
"TITLE": "Path Traversal"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "droppy",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "0"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Snyk Security Team"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "This affects all versions of package droppy. It is possible to traverse directories to fetch configuration files from a droopy server."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:U/RC:C",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Path Traversal"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://snyk.io/vuln/SNYK-JS-DROPPY-1023656",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JS-DROPPY-1023656"
},
{
"name": "https://github.com/silverwind/droppy/blob/master/server/server.js%23L845",
"refsource": "MISC",
"url": "https://github.com/silverwind/droppy/blob/master/server/server.js%23L845"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2020-7757",
"datePublished": "2020-11-02T18:30:16.073327Z",
"dateReserved": "2020-01-21T00:00:00",
"dateUpdated": "2024-09-16T22:56:32.792Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-10529 (GCVE-0-2016-10529)
Vulnerability from cvelistv5 – Published: 2018-05-31 20:00 – Updated: 2024-09-16 18:33
VLAI?
Summary
Droppy versions <3.5.0 does not perform any verification for cross-domain websocket requests. An attacker is able to make a specially crafted page that can send requests as the context of the currently logged in user. For example this means the malicious user could add a new admin account under his control and delete others.
Severity ?
No CVSS data available.
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF) (CWE-352)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| HackerOne | droppy node module |
Affected:
<3.5.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:21:52.221Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://nodesecurity.io/advisories/91"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "droppy node module",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "\u003c3.5.0"
}
]
}
],
"datePublic": "2018-04-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Droppy versions \u003c3.5.0 does not perform any verification for cross-domain websocket requests. An attacker is able to make a specially crafted page that can send requests as the context of the currently logged in user. For example this means the malicious user could add a new admin account under his control and delete others."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "Cross-Site Request Forgery (CSRF) (CWE-352)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-05-31T19:57:01",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://nodesecurity.io/advisories/91"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"DATE_PUBLIC": "2018-04-26T00:00:00",
"ID": "CVE-2016-10529",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "droppy node module",
"version": {
"version_data": [
{
"version_value": "\u003c3.5.0"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Droppy versions \u003c3.5.0 does not perform any verification for cross-domain websocket requests. An attacker is able to make a specially crafted page that can send requests as the context of the currently logged in user. For example this means the malicious user could add a new admin account under his control and delete others."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Request Forgery (CSRF) (CWE-352)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://nodesecurity.io/advisories/91",
"refsource": "MISC",
"url": "https://nodesecurity.io/advisories/91"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2016-10529",
"datePublished": "2018-05-31T20:00:00Z",
"dateReserved": "2017-10-29T00:00:00",
"dateUpdated": "2024-09-16T18:33:59.616Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-7757 (GCVE-0-2020-7757)
Vulnerability from nvd – Published: 2020-11-02 18:30 – Updated: 2024-09-16 22:56
VLAI?
Title
Path Traversal
Summary
This affects all versions of package droppy. It is possible to traverse directories to fetch configuration files from a droopy server.
Severity ?
CWE
- Path Traversal
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Credits
Snyk Security Team
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:41:00.850Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JS-DROPPY-1023656"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/silverwind/droppy/blob/master/server/server.js%23L845"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "droppy",
"vendor": "n/a",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Snyk Security Team"
}
],
"datePublic": "2020-11-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "This affects all versions of package droppy. It is possible to traverse directories to fetch configuration files from a droopy server."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitCodeMaturity": "PROOF_OF_CONCEPT",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"remediationLevel": "UNAVAILABLE",
"reportConfidence": "CONFIRMED",
"scope": "UNCHANGED",
"temporalScore": 6.2,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:U/RC:C",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Path Traversal",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-02T18:30:15",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JS-DROPPY-1023656"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/silverwind/droppy/blob/master/server/server.js%23L845"
}
],
"title": "Path Traversal",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"DATE_PUBLIC": "2020-11-02T18:27:33.343489Z",
"ID": "CVE-2020-7757",
"STATE": "PUBLIC",
"TITLE": "Path Traversal"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "droppy",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "0"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Snyk Security Team"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "This affects all versions of package droppy. It is possible to traverse directories to fetch configuration files from a droopy server."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:U/RC:C",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Path Traversal"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://snyk.io/vuln/SNYK-JS-DROPPY-1023656",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JS-DROPPY-1023656"
},
{
"name": "https://github.com/silverwind/droppy/blob/master/server/server.js%23L845",
"refsource": "MISC",
"url": "https://github.com/silverwind/droppy/blob/master/server/server.js%23L845"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2020-7757",
"datePublished": "2020-11-02T18:30:16.073327Z",
"dateReserved": "2020-01-21T00:00:00",
"dateUpdated": "2024-09-16T22:56:32.792Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-10529 (GCVE-0-2016-10529)
Vulnerability from nvd – Published: 2018-05-31 20:00 – Updated: 2024-09-16 18:33
VLAI?
Summary
Droppy versions <3.5.0 does not perform any verification for cross-domain websocket requests. An attacker is able to make a specially crafted page that can send requests as the context of the currently logged in user. For example this means the malicious user could add a new admin account under his control and delete others.
Severity ?
No CVSS data available.
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF) (CWE-352)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| HackerOne | droppy node module |
Affected:
<3.5.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:21:52.221Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://nodesecurity.io/advisories/91"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "droppy node module",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "\u003c3.5.0"
}
]
}
],
"datePublic": "2018-04-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Droppy versions \u003c3.5.0 does not perform any verification for cross-domain websocket requests. An attacker is able to make a specially crafted page that can send requests as the context of the currently logged in user. For example this means the malicious user could add a new admin account under his control and delete others."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "Cross-Site Request Forgery (CSRF) (CWE-352)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-05-31T19:57:01",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://nodesecurity.io/advisories/91"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"DATE_PUBLIC": "2018-04-26T00:00:00",
"ID": "CVE-2016-10529",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "droppy node module",
"version": {
"version_data": [
{
"version_value": "\u003c3.5.0"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Droppy versions \u003c3.5.0 does not perform any verification for cross-domain websocket requests. An attacker is able to make a specially crafted page that can send requests as the context of the currently logged in user. For example this means the malicious user could add a new admin account under his control and delete others."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Request Forgery (CSRF) (CWE-352)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://nodesecurity.io/advisories/91",
"refsource": "MISC",
"url": "https://nodesecurity.io/advisories/91"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2016-10529",
"datePublished": "2018-05-31T20:00:00Z",
"dateReserved": "2017-10-29T00:00:00",
"dateUpdated": "2024-09-16T18:33:59.616Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}