CVEDB API

Vulnerabilities

By Date
Known Exploited
Advanced Search

Vulnerable Software

Vendors
Products

Vulnerability Details CVE-2016-10535

csrf-lite is a cross-site request forgery protection library for framework-less node sites. csrf-lite uses `===`, a fail first string comparison, instead of a time constant string comparison This enables an attacker to guess the secret in no more than (16*18)288 guesses, instead of the 16^18 guesses required were the timing attack not present.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.003

EPSS Ranking 54.0%

CVSS Severity

CVSS v3 Score 5.9

CVSS v2 Score 4.3

References

https://github.com/isaacs/csrf-lite/pull/1
https://nodesecurity.io/advisories/94
https://github.com/isaacs/csrf-lite/pull/1
https://nodesecurity.io/advisories/94

Products affected by CVE-2016-10535

Csrf-Lite Project » Csrf-Lite » Version: 0.0.1

cpe:2.3:a:csrf-lite_project:csrf-lite:0.0.1
Csrf-Lite Project » Csrf-Lite » Version: 0.0.2

cpe:2.3:a:csrf-lite_project:csrf-lite:0.0.2
Csrf-Lite Project » Csrf-Lite » Version: 0.1.0

cpe:2.3:a:csrf-lite_project:csrf-lite:0.1.0
Csrf-Lite Project » Csrf-Lite » Version: 0.1.1

cpe:2.3:a:csrf-lite_project:csrf-lite:0.1.1

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2016-10535

Products

Pricing

Contact Us