Xhelal Likaj

**Name of the Vulnerable Software and Affected Versions** fastify-csrf versions prior to 3.1.0 **Description** The issue affects applications using the fastify-csrf plugin with the "double submit" mechanism, particularly those deployed across multiple subdomains. To fully implement protection, users of the module must supply a `userInfo` when generating the CSRF token, which is necessary for applications hosted on different subdomains. **Recommendations** For versions prior to 3.1.0, update to version 3.1.0 to fix the issue. As a temporary workaround, consider supplying a `userInfo` when generating the CSRF token to enhance protection, especially for applications hosted on different subdomains.

**Name of the Vulnerable Software and Affected Versions** com.vaadin:vaadin-server versions 7.0.0 through 7.7.23 com.vaadin:vaadin-server versions 8.0.0 through 8.12.2 **Description** The issue is related to a non-constant-time comparison of CSRF tokens in the UIDL request handler. This allows an attacker to guess a security token via a timing attack. **Recommendations** For versions 7.0.0 through 7.7.23, update to a version outside of this range to mitigate the risk. For versions 8.0.0 through 8.12.2, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider implementing constant-time comparison for CSRF tokens in the UIDL request handler until a patch is available.

**Name of the Vulnerable Software and Affected Versions** com.vaadin:flow-server versions 1.0.0 through 1.0.13 com.vaadin:flow-server versions 1.1.0 prior to 2.0.0 com.vaadin:flow-server versions 2.0.0 through 2.4.6 com.vaadin:flow-server versions 3.0.0 prior to 5.0.0 com.vaadin:flow-server versions 5.0.0 through 5.0.2 **Description** The issue is related to a non-constant-time comparison of CSRF tokens in the UIDL request handler, which allows an attacker to guess a security token via a timing attack. **Recommendations** For com.vaadin:flow-server versions 1.0.0 through 1.0.13, update to a version outside of this range. For com.vaadin:flow-server versions 1.1.0 prior to 2.0.0, update to version 2.0.0 or later. For com.vaadin:flow-server versions 2.0.0 through 2.4.6, update to a version outside of this range. For com.vaadin:flow-server versions 3.0.0 prior to 5.0.0, update to version 5.0.0 or later. For com.vaadin:flow-server versions 5.0.0 through 5.0.2, update to a version outside of this range.

**Name of the Vulnerable Software and Affected Versions** com.vaadin:flow-server versions 3.0.0 through 5.0.3 com.vaadin:fusion-endpoint version 6.0.0 **Description** The issue is related to a non-constant-time comparison of CSRF tokens in the endpoint request handler. This allows an attacker to guess a security token for Fusion endpoints via a timing attack. **Recommendations** For com.vaadin:flow-server versions 3.0.0 through 5.0.3, update to a version outside of this range to mitigate the risk. For com.vaadin:fusion-endpoint version 6.0.0, update to a version other than 6.0.0 to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable endpoint request handler until a patch is available.

Name of the Vulnerable Software and Affected Versions: Vert.x-Web framework versions 4.0 milestone 1 through 4.0 milestone 4 Description: The issue arises from incorrect CSRF verification. Instead of comparing the CSRF token in the request with the CSRF token in the cookie, the framework compares the CSRF token in the cookie against a CSRF token stored in the session. This means an attacker does not need to provide a CSRF token in the request, as the verification will always succeed due to the automatic sending of cookies by the browser, leading to a successful CSRF attack. Recommendations: For versions 4.0 milestone 1 through 4.0 milestone 4, consider disabling the CSRF verification mechanism until a patch is available, or apply a custom fix to correctly compare the CSRF token in the request with the one in the cookie. Restrict access to sensitive operations that rely on CSRF protection to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: CakePHP versions 4.0.x through 4.1.3 Description: A vulnerability exists in the CsrfProtectionMiddleware component, allowing method override parameters to bypass CSRF checks by changing the HTTP request method to an arbitrary string that is not in the list of request methods that CakePHP checks. The route middleware does not verify that this overridden method, which can be an arbitrary string, is actually an HTTP method. Recommendations: For CakePHP versions 4.0.x through 4.1.3, consider disabling the CsrfProtectionMiddleware component or restricting its use until a patch is available. As a temporary workaround, restrict access to the route middleware to minimize the risk of exploitation. Avoid using method override parameters in HTTP requests to the affected CakePHP versions until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.