In csrf-magic prior to 1.0.4, if $GLOBALS['csrf']['secret'] is not configured, the Anti-CSRF Token used is predictable and would permit an malicious user to bypass the CSRF protections, because an automatically generated secret is not used.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
csrf-magic project csrf-magic |