GHSA-697v-pxg3-j262

Suggest an improvement
Source
https://github.com/advisories/GHSA-697v-pxg3-j262
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-697v-pxg3-j262/GHSA-697v-pxg3-j262.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-697v-pxg3-j262
Aliases
Published
2022-07-15T20:55:21Z
Modified
2023-11-01T04:52:52.387959Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Togglz console missing cross-site request forgery (CSRF) protection
Details

Togglz is an implementation of the Feature Toggles pattern for Java. There is no CSRF protection in the togglz console and could allow an attacker to guess the CSRF token value. Version 2.9.4 adds the necessary CSRF protection.

Database specific
{
    "nvd_published_at": "2022-12-26T22:15:00Z",
    "github_reviewed_at": "2022-07-15T20:55:21Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-352"
    ]
}
References

Affected packages

Maven / org.togglz:togglz-console

Package

Name
org.togglz:togglz-console
View open source insights on deps.dev
Purl
pkg:maven/org.togglz/togglz-console

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.9.4

Affected versions

1.*

1.0.0.Final
1.1.0.Final
1.1.1.Final

2.*

2.0.0.Alpha1
2.0.0.Beta1
2.0.0.Beta2
2.0.0.RC1
2.0.0.Final
2.0.1.Final
2.1.0.Final
2.2.0.Final
2.3.0.RC1
2.3.0.RC2
2.3.0.Final
2.4.0.RC1
2.4.0.Final
2.4.1.Final
2.5.0.Final
2.6.0.Final
2.6.1.Final
2.7.0
2.7.1
2.7.2
2.8.0
2.9.0
2.9.1
2.9.2
2.9.3