CVE-2016-10529
N/A
N/A
Summary
Droppy versions <3.5.0 does not perform any verification for cross-domain websocket requests. An attacker is able to make a specially crafted page that can send requests as the context of the currently logged in user. For example this means the malicious user could add a new admin account under his control and delete others.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| HackerOne | droppy node module | <3.5.0 | affected |
Weaknesses
- CWE-352: Cross-Site Request Forgery (CSRF) (CWE-352)
ADP Enrichment
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.