CVE-2016-10535
N/A
N/A
Summary
csrf-lite is a cross-site request forgery protection library for framework-less node sites. csrf-lite uses ===, a fail first string comparison, instead of a time constant string comparison This enables an attacker to guess the secret in no more than (16*18)288 guesses, instead of the 16^18 guesses required were the timing attack not present.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| HackerOne | csrf-lite node module | <=0.1.1 | affected |
Weaknesses
- CWE-208: Information Exposure Through Timing Discrepancy (CWE-208)
ADP Enrichment
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.