Cross-Site Request Forgery (CSRF) Affecting polaris-website package, versions <1.1.1
Snyk CVSS
Attack Complexity
High
User Interaction
Required
Confidentiality
High
Integrity
High
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-POLARISWEBSITE-597473
- published 6 Aug 2020
- disclosed 5 Aug 2020
- credit Unknown
How to fix?
Upgrade polaris-website
to version 1.1.1 or higher.
Overview
polaris-website is a The Polaris website and panel designed to work with the Polaris bot (polaris-bot package)
Affected versions of this package are vulnerable to Cross-Site Request Forgery (CSRF). In some very specific circumstances, an attacker would be able to update your settings. Basically you would need to navigate to hackersite.com while logged into our panel. Then they could modify your settings. They couldn't check if it worked, nor could they read your settings.