No CSRF Validation

Module: droppy

Published: March 28th, 2016

Reported by: Craig Arendt

CVE-NONE

CWE-352

Vulnerable: <3.5.0
Patched: >=3.5.0

Overview

Affected versions of droppy are vulnerable to cross-site socket forgery. The package does not perform verification for cross-domain websocket requests, and as a result, an attacker can create a web page that opens up a websocket connection on behalf of the user visiting the page. The attacker can then perform any action that the target user could, including adding a new admin account under their control, or deleting others.

Remediation

Update to version 3.5.0 or later.