Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
6.5
CVSSv3

CVE-2023-45857

Published: 08/11/2023 Updated: 16/11/2023
CVSS v3 Base Score: 6.5 | Impact Score: 3.6 | Exploitability Score: 2.8
VMScore: 0
Subscribe to Axios

Vulnerability Summary

An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing malicious users to view sensitive information.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

axios axios 1.5.1

Vendor Advisories

Debian CVElist Bug Report Logs: node-axios: CVE-2023-45857
Debian Bug report logs - #1056099 node-axios: CVE-2023-45857 Package: src:node-axios; Maintainer for src:node-axios is Debian Javascript Maintainers <pkg-javascript-devel@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Thu, 16 Nov 2023 21:09:01 UTC Severity: important Tags: pendi ...
Red Hat:
Description<!---->A flaw was found in Axios that exposes a confidential session token This flaw allows a remote attacker to bypass security measures and view sensitive dataA flaw was found in Axios that exposes a confidential session token This flaw allows a remote attacker to bypass security measures and view sensitive data ...

Github Repositories

https://github.com/bmuenzenmeyer/axios-1.0.0-migration-guide

crowd-sourced migration guide for axios 1.0.0

axios-100-migration-guide crowd-sourced migration guide for axios100 CONTRIBUTING GUIDE axios links axios docs official migration guide axios Community Discussion Upgrade Guide needs to be updated with 0xx -&gt; 100 Is axios@1 stable? CVE-2023-45857 axios@0x vulnerability and patch BREAKING CHANGES Documenting the potential breaking changes between 02721

https://github.com/stiifii/tbo_projekt

TBO - Projekt Autorzy: Michał Adrjan Hubert Decyusz Daniel Stefański CICD Do stowrzenia CICD przy użyciu GitHub Actions zostały użyte narzędzia: SAST - Bandit DAST - ZAProxy SCA - Dependency Check Komponenty Workflow dla budowy obrazu z gałęzi main z tagiem: latest Workflow dla budowy obrazu z innej gałęzi z tagiem: beta Workflow do uruchomienia SAST Bandit

https://github.com/intercept6/CVE-2023-45857-Demo

CVE-2023-45857の挙動を確認するデモ

axios の脆弱性 CVE-2023-45857 の動作を確認するデモ dev container で起動する app コンテナでnpm run devする applocalhostへアクセスする ブラウザの開発者ツールで Cookie にXSRF-TOKENがセットされていることを確認する 値がCREDENTIAL_TOKENとなっていること HttpOnly が false となっていること SameSit

https://github.com/fuyuooumi1027/CVE-2023-45857-Demo

axios の脆弱性 CVE-2023-45857 の動作を確認するデモ dev container で起動する app コンテナでnpm run devする applocalhostへアクセスする ブラウザの開発者ツールで Cookie にXSRF-TOKENがセットされていることを確認する 値がCREDENTIAL_TOKENとなっていること HttpOnly が false となっていること SameSit

References

CWE-352https://github.com/axios/axios/issues/6006https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056099https://nvd.nist.govhttps://github.com/bmuenzenmeyer/axios-1.0.0-migration-guidehttps://access.redhat.com/security/cve/cve-2023-45857
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
blind SQL injectionSSRFbuffer overflowCVE-2023-28952CVE-2023-41822CVE-2024-27956CVE-2023-7028CVE-2024-34447CVE-2024-34460
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook