Rewterz Threat Advisory – ICS: OMRON CX-Drive Vulnerability
April 25, 2023Rewterz Threat Advisory – Multiple WordPress Plugins Vulnerabilities
April 26, 2023Rewterz Threat Advisory – ICS: OMRON CX-Drive Vulnerability
April 25, 2023Rewterz Threat Advisory – Multiple WordPress Plugins Vulnerabilities
April 26, 2023Severity
High
Analysis Summary
CVE-2023-29019 CVSS:8.1
Node.js @fastify/passport module could allow a remote attacker to hijack a user’s session, caused by a session fixation vulnerability. By persuading a victim to click on a specially crafted Web site, an attacker could exploit this vulnerability using session cookie to gain access to another user’s session.
CVE-2023-29020 CVSS:6.5
Node.js @fastify/passport module is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to perform unauthorized actions. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
Impact
- Gain Access
Indicators Of Compromise
CVE
- CVE-2023-29019
- CVE-2023-29020
Affected Vendors
Node.js
Affected Products
- Node.js @fastify/passport 1.0.1
- Node.js @fastify/passport 2.0.0
- Node.js @fastify/passport 2.2.0
Remediation
Refer to fastify-passport GIT Repository for patch, upgrade or suggested workaround information.