Advisories for Npm/Save-Server package

2020

Cross-Site Request Forgery (CSRF)

save-server is affected by a CSRF vulnerability, as there is no CSRF mitigation (Tokens etc.). The CSRF attack would require you to navigate to a malicious site while you have an active session with Save-Server (Session key stored in cookies). The malicious user would then be able to perform some actions, including uploading/deleting files and adding redirects. If you are logged in as root, this attack is significantly more severe. …