CVE-2020-28482

Summary

This affects the package fastify-csrf before 3.0.0. 1. The generated cookie used insecure defaults, and did not have the httpOnly flag on: cookieOpts: { path: '/', sameSite: true } 2. The CSRF token was available in the GET query parameter

Affected Software

VendorProductVersion RangeStatus
n/afastify-csrfunspecified < 3.0.0affected

Weaknesses

  • Cross-site Request Forgery (CSRF)

ADP Enrichment

CVE Program Container

Additional References

References