CSRF vulnerability in AXIOS 0.24.1 to latest #6022
Comments
|
Probably related to #6006 |
|
This issue is reported in BlackDuck scan. Here is detailed report -
|
1 task
|
Snyk is also detecting this error: |
|
Hello guys, is there any fix for this? |
|
Also interested. Isn't the fix super easy to implement? |
@valentin-panov I see this commit in PR and is in progress #6028 |
|
what is the potential ETA for this PR to be resolved please? |
|
Hi, I just wanted to bump this as well as my team is interested in seeing this resolved as well! Thank you team! |
|
This is an issue for my application also. Is there a planned fix? |
|
Update: It looks like the related PR #6028 was just merged. I'm guessing a new release shouldn't be too far off. |
|
v1.6.0 has just been released with this patched. |
|
I'm confused why this doesn't show up in |
bradbishop
pushed a commit
to openbmc/webui-vue
that referenced
this issue
Mar 25, 2024
- Current Axios version was 0.21.4, this version has CSRF vulnerability. Referring to this issue: axios/axios#6022, Axios contains a cross-site request forgery (CSRF) vulnerability due to insecure HTTP endpoint permission validation. An attacker could exploit this vulnerability by sending a crafted link to a victim to execute malicious actions on their behalf. - v1.6.0 has fixed this problem, Upgraded the version to the same. - Reference: axios/axios#6028 Signed-off-by: Nikhil Ashoka <a.nikhil@ibm.com> Change-Id: I43719d2dd4524ad1de647f7753a6c923762e1e80
bradbishop
pushed a commit
to openbmc/webui-vue
that referenced
this issue
Mar 25, 2024
- Current Axios version was 0.21.4, this version has CSRF vulnerability. Referring to this issue: axios/axios#6022, Axios contains a cross-site request forgery (CSRF) vulnerability due to insecure HTTP endpoint permission validation. An attacker could exploit this vulnerability by sending a crafted link to a victim to execute malicious actions on their behalf. - v1.6.0 has fixed this problem, Upgraded the version to the same. - Reference: axios/axios#6028 Signed-off-by: Nikhil Ashoka <a.nikhil@ibm.com> Change-Id: I43719d2dd4524ad1de647f7753a6c923762e1e80
bradbishop
pushed a commit
to openbmc/webui-vue
that referenced
this issue
Mar 25, 2024
- Current Axios version was 0.21.4, this version has CSRF vulnerability. Referring to this issue: axios/axios#6022, Axios contains a cross-site request forgery (CSRF) vulnerability due to insecure HTTP endpoint permission validation. An attacker could exploit this vulnerability by sending a crafted link to a victim to execute malicious actions on their behalf. - v1.6.0 has fixed this problem, Upgraded the version to the same. - Reference: axios/axios#6028 Signed-off-by: Nikhil Ashoka <a.nikhil@ibm.com> Change-Id: I43719d2dd4524ad1de647f7753a6c923762e1e80
bradbishop
pushed a commit
to openbmc/webui-vue
that referenced
this issue
Mar 25, 2024
- Current Axios version was 0.21.4, this version has CSRF vulnerability. Referring to this issue: axios/axios#6022, Axios contains a cross-site request forgery (CSRF) vulnerability due to insecure HTTP endpoint permission validation. An attacker could exploit this vulnerability by sending a crafted link to a victim to execute malicious actions on their behalf. - v1.6.0 has fixed this problem, Upgraded the version to the same. - Reference: axios/axios#6028 Signed-off-by: Nikhil Ashoka <a.nikhil@ibm.com> Change-Id: I43719d2dd4524ad1de647f7753a6c923762e1e80
bradbishop
pushed a commit
to openbmc/webui-vue
that referenced
this issue
Mar 26, 2024
- Current Axios version was 0.21.4, this version has CSRF vulnerability. Referring to this issue: axios/axios#6022, Axios contains a cross-site request forgery (CSRF) vulnerability due to insecure HTTP endpoint permission validation. An attacker could exploit this vulnerability by sending a crafted link to a victim to execute malicious actions on their behalf. - v1.6.0 has fixed this problem, Upgraded the version to the same. - Reference: axios/axios#6028 Signed-off-by: Nikhil Ashoka <a.nikhil@ibm.com> Change-Id: I43719d2dd4524ad1de647f7753a6c923762e1e80
bradbishop
pushed a commit
to openbmc/webui-vue
that referenced
this issue
Mar 27, 2024
- Current Axios version was 0.21.4, this version has CSRF vulnerability. Referring to this issue: axios/axios#6022, Axios contains a cross-site request forgery (CSRF) vulnerability due to insecure HTTP endpoint permission validation. An attacker could exploit this vulnerability by sending a crafted link to a victim to execute malicious actions on their behalf. - v1.6.0 has fixed this problem, Upgraded the version to the same. - Reference: axios/axios#6028 Signed-off-by: Nikhil Ashoka <a.nikhil@ibm.com> Change-Id: Ifb0d64c7d4d15d2396ee6d83d609ab8522d9e247
bradbishop
pushed a commit
to openbmc/webui-vue
that referenced
this issue
Apr 2, 2024
Current Axios version was 0.21.4, this version has a CSRF vulnerability. axios/axios#6022. v1.6.0 has fixed this problem, upgrade Axios to that version. Reference: axios/axios#6028 The package-lock.json was generated by pointing bitbake at my local repo and building the image. devtool modify -n webui-vue <local repo> This uses the npm version in yocto 10.4.0. Signed-off-by: Nikhil Ashoka <a.nikhil@ibm.com> Change-Id: Ifb0d64c7d4d15d2396ee6d83d609ab8522d9e247 Signed-off-by: Gunnar Mills <gmills@us.ibm.com>
bradbishop
pushed a commit
to openbmc/webui-vue
that referenced
this issue
Apr 2, 2024
Current Axios version was 0.21.4, this version has a CSRF vulnerability. axios/axios#6022. v1.6.0 has fixed this problem, upgrade Axios to that version. Reference: axios/axios#6028 The package-lock.json was generated by pointing bitbake at my local repo and building the image. devtool modify -n webui-vue <local repo> This uses the npm version in yocto 10.4.0. Tested: Loaded this on a p10bmc and GUI looked good. Signed-off-by: Nikhil Ashoka <a.nikhil@ibm.com> Change-Id: Ifb0d64c7d4d15d2396ee6d83d609ab8522d9e247 Signed-off-by: Gunnar Mills <gmills@us.ibm.com>
1 task
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
AXIOS contains a CSRF Vulnerability
Axios contains a cross-site request forgery (CSRF) vulnerability due to insecure HTTP endpoint permission validation. An attacker could exploit this vulnerability by sending a crafted link to a victim to execute malicious actions on their behalf.
Below are the versions which contain this vulnerability
axios | 0.21.4
axios | 0.26.1
axios | 1.0.0
axios | 1.3.6
axios | 1.4.0
axios | 1.5.1 : Latest
To Reproduce
NA
Code snippet
No response
Expected behavior
AXIOS should not have this vulnerability
Axios Version
0.24.1, 0.26.3, 1.5.1
Adapter Version
No response
Browser
No response
Browser Version
No response
Node.js Version
No response
OS
No response
Additional Library Versions
No response
Additional context/Screenshots
No response
The text was updated successfully, but these errors were encountered: