GHSA-vpw5-grxx-v396

Source

https://github.com/advisories/GHSA-vpw5-grxx-v396

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-vpw5-grxx-v396/GHSA-vpw5-grxx-v396.json

Aliases

CVE-2021-36793

Published

2021-09-02T17:16:56Z

Modified

2023-11-08T04:06:16.675857Z

Details

When using the CsrfTokenViewHelper the extension discloses the user's session identifier to HTML output without processing of additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in combination with a chained attack - like for instance Cross Site Scripting in the frontend output.

References

Affected packages

Packagist / lms/routes

Package

Name: lms/routes

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Fixed

2.1.1

Affected versions

v1.*

v1.3.3

v1.4.0

v1.4.1

v1.5.0

v1.5.1

v1.5.2

v1.5.3

v1.5.4

v1.5.5

v1.5.6

v1.5.7

v1.5.10

v1.6.0

v1.6.1

v1.6.2

v1.6.3

v1.7.0

v1.8.0

v1.8.1

v1.8.2

v1.8.3

v1.8.4

v1.8.5

v1.8.6

v1.8.7

v2.*

v2.0.0

v2.1.0