GHSA-697v-pxg3-j262
Suggest an improvement- Source
- https://github.com/advisories/GHSA-697v-pxg3-j262
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-697v-pxg3-j262/GHSA-697v-pxg3-j262.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-697v-pxg3-j262
- Aliases
- Published
- 2022-07-15T20:55:21Z
- Modified
- 2023-11-08T04:03:23.915324Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Togglz console missing cross-site request forgery (CSRF) protection
- Details
-
Togglz is an implementation of the Feature Toggles pattern for Java. There is no CSRF protection in the togglz console and could allow an attacker to guess the CSRF token value. Version 2.9.4 adds the necessary CSRF protection.
- Database specific
{ "nvd_published_at": "2022-12-26T22:15:00Z", "github_reviewed_at": "2022-07-15T20:55:21Z", "severity": "HIGH", "github_reviewed": true, "cwe_ids": [ "CWE-352" ] }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2020-28191
- https://github.com/togglz/togglz/pull/495
- https://github.com/togglz/togglz/commit/ed66e3f584de954297ebaf98ea4a235286784707
- https://github.com/advisories/GHSA-697v-pxg3-j262
- https://github.com/togglz/togglz
- https://www.mend.io/vulnerability-database/CVE-2020-28191
Affected packages
Maven / org.togglz:togglz-console
Package
- Name
- org.togglz:togglz-console
- View open source insights on deps.dev
- Purl
- pkg:maven/org.togglz/togglz-console
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.9.4
Affected versions
1.*
1.0.0.Final
1.1.0.Final
1.1.1.Final
2.*
2.0.0.Alpha1
2.0.0.Beta1
2.0.0.Beta2
2.0.0.RC1
2.0.0.Final
2.0.1.Final
2.1.0.Final
2.2.0.Final
2.3.0.RC1
2.3.0.RC2
2.3.0.Final
2.4.0.RC1
2.4.0.Final
2.4.1.Final
2.5.0.Final
2.6.0.Final
2.6.1.Final
2.7.0
2.7.1
2.7.2
2.8.0
2.9.0
2.9.1
2.9.2
2.9.3