This affects the package fastify-csrf before 3.0.0. 1. The generated cookie used insecure defaults, and did not have the httpOnly flag on: cookieOpts: { path: '/', sameSite: true } 2. The CSRF token was available in the GET query parameter
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: snyk

Published: 2021-01-19T14:50:18.191366Z

Updated: 2024-09-16T19:05:34.497Z

Reserved: 2020-11-12T00:00:00

Link: CVE-2020-28482

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2021-01-19T15:15:12.153

Modified: 2024-11-21T05:22:53.097

Link: CVE-2020-28482

cve-icon Redhat

No data.