Patrickod

**Name of the Vulnerable Software and Affected Versions** gorilla/csrf versions prior to 1.7.2 **Description** The issue concerns a Cross Site Request Forgery (CSRF) prevention middleware for Go web applications and services. It does not validate the Origin header against an allowlist prior to version 1.7.2. The validation of the Referer header for cross-origin requests is executed only when the request is believed to be served over TLS, determined by inspecting the `r.URL.Scheme` value. However, this value is never populated for "server" requests per the Go spec, making the check ineffective. This allows an attacker with XSS on a subdomain or top-level domain to perform authenticated form submissions against protected targets sharing the same top-level domain. **Recommendations** For versions prior to 1.7.2, update to version 1.7.2 to fix the issue. As a temporary workaround, consider restricting access to sensitive form submissions to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: nosurf versions prior to 1.2.0 Description: A vulnerability in nosurf allows an attacker who controls content on the target site, or on a subdomain of the target site, to bypass CSRF checks and issue requests on a user's behalf. This is due to the misuse of the Go `net/http` library, which categorizes all incoming requests as plain-text HTTP requests, resulting in the `Referer` header not being checked for the same origin as the target webpage. If an attacker has control over HTML contents on either the target website or a website hosted on a subdomain of the target, they can manipulate cookies set for the target website, acquire the secret CSRF token from the cookie, or override the cookie with a new token known to the attacker. This enables the attacker to craft cross-site requests to the target website. Recommendations: For versions prior to 1.2.0, update to nosurf version 1.2.0 to resolve the issue. As a temporary workaround, consider using another HTTP middleware to ensure that a non-safe HTTP request is coming from the same origin, such as requiring a `Sec-Fetch-Site: same-origin` header in the request.