CVE-2023-45128

Name of the Vulnerable Software and Affected Versions Fiber versions prior to 2.50.0

Description A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to inject arbitrary values and forge malicious requests on behalf of a user. This vulnerability can allow an attacker to inject arbitrary values without any authentication, or perform various malicious actions on behalf of an authenticated user, potentially compromising the security and integrity of the application. The vulnerability is caused by improper validation and enforcement of CSRF tokens within the application. Users should take additional security measures like captchas or Two-Factor Authentication (2FA) and set Session cookies with SameSite=Lax or SameSite=Secure, and the Secure and HttpOnly attributes as defense in depth measures.

Recommendations To remediate this vulnerability, it is recommended to upgrade to version 2.50.0 or later. Additionally, implement proper CSRF protection by reviewing the updated documentation and ensuring the application's CSRF protection mechanisms follow best practices. Choose a suitable CSRF protection method based on the application's requirements, either the Double Submit Cookie method or the Synchronizer Token Pattern using sessions. Conduct a thorough security assessment, including penetration testing, to identify and address any other security vulnerabilities. As a temporary workaround, consider implementing additional security measures like captchas or Two-Factor Authentication (2FA) and setting Session cookies with SameSite=Lax or SameSite=Secure, and the Secure and HttpOnly attributes.