CVE-2016-10529: Cross-Site Request Forgery (CSRF)

February 18, 2019 (updated January 7, 2021)

Droppy versions <3.5.0 does not perform any verification for cross-domain websocket requests. An attacker is able to make a specially crafted page that can send requests as the context of the currently logged in user. For example this means the malicious user could add a new admin account under his control and delete others.

References

github.com/advisories/GHSA-rhvc-x32h-5526
nodesecurity.io/advisories/91
nvd.nist.gov/vuln/detail/CVE-2016-10529
www.npmjs.com/advisories/91

Detect and mitigate CVE-2016-10529 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →