CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-29008 – SvelteKit framework has Insufficient CSRF protection for CORS requests
https://notcve.org/view.php?id=CVE-2023-29008
06 Apr 2023 — The SvelteKit framework offers developers an option to create simple REST APIs. This is done by defining a `+server.js` file, containing endpoint handlers for different HTTP methods. SvelteKit provides out-of-the-box cross-site request forgery (CSRF) protection to its users. The protection is implemented at `kit/src/runtime/server/respond.js`. While the implementation does a sufficient job of mitigating common CSRF attacks, the protection can be bypassed in versions prior to 1.15.2 by simply specifying an u... • https://github.com/sveltejs/kit/commit/ba436c6685e751d968a960fbda65f24cf7a82e9f • CWE-352: Cross-Site Request Forgery (CSRF) CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-29003 – SvelteKit has Insufficient Cross-Site Request Forgery Protection
https://notcve.org/view.php?id=CVE-2023-29003
04 Apr 2023 — SvelteKit is a web development framework. The SvelteKit framework offers developers an option to create simple REST APIs. This is done by defining a `+server.js` file, containing endpoint handlers for different HTTP methods. SvelteKit provides out-of-the-box cross-site request forgery (CSRF) protection to its users. While the implementation does a sufficient job in mitigating common CSRF attacks, prior to version 1.15.1, the protection can be bypassed by simply specifying a different `Content-Type` header v... • https://github.com/sveltejs/kit/commit/bb2253d51d00aba2e4353952d4fb0dcde6c77123 • CWE-184: Incomplete List of Disallowed Inputs CWE-352: Cross-Site Request Forgery (CSRF) •