No CSRF Validation

Module: droppy

Published: March 28th, 2016

Reported by: Craig Arendt

CVE-NONE

CWE-

Vulnerable: <3.5.0
Patched: >=3.5.0

Overview

Droppy versions <=3.4.0 does not perform any verification for cross-domain websocket requests. An attacker is able to make a specially crafted page that can send requests as the context of the currently logged in user. For example this means the malicious user could add a new admin account under his control and delete others.

Remediation

Upgrade to droppy version 3.5.0 or greater.

Sign up FREE for
nsp Continuous Security

Free for open source and the first private repo,
then just $1/mo per private repo