crumb is CSRF crumb generation and validation plugin.
Affected versions of the package are vulnerable to Authentication Bypass.
crumb does not validate the hostname while comparing a request origin against the whitelist, but rather compare http protocol alone. This opens a window for attackers to gain information by Man in the Middle (MitM) attacks.
crumb to version 4.0.2 or higher.
- Nicolas Jessel
- Snyk ID
- 12 Feb, 2015
- 21 Jun, 2017