| Copyright 2024 The Go Authors. All rights reserved. |
| Use of this source code is governed by a BSD-style |
| license that can be found in the LICENSE file. |
| |
| Expected output of TestCVEToReport/CVE-2023-45141. |
| |
| -- CVE-2023-45141 -- |
| id: PLACEHOLDER-ID |
| modules: |
| - module: github.com/gofiber/fiber |
| vulnerable_at: 1.14.6 |
| packages: |
| - package: fiber |
| summary: CVE-2023-45141 in github.com/gofiber/fiber |
| description: |- |
| Fiber is an express inspired web framework written in Go. A Cross-Site Request |
| Forgery (CSRF) vulnerability has been identified in the application, which |
| allows an attacker to obtain tokens and forge malicious requests on behalf of a |
| user. This can lead to unauthorized actions being taken on the user's behalf, |
| potentially compromising the security and integrity of the application. The |
| vulnerability is caused by improper validation and enforcement of CSRF tokens |
| within the application. This vulnerability has been addressed in version 2.50.0 |
| and users are advised to upgrade. Users should take additional security measures |
| like captchas or Two-Factor Authentication (2FA) and set Session cookies with |
| SameSite=Lax or SameSite=Secure, and the Secure and HttpOnly attributes. |
| cves: |
| - CVE-2023-45141 |
| references: |
| - advisory: https://github.com/gofiber/fiber/security/advisories/GHSA-mv73-f69x-444p |
| source: |
| id: CVE-2023-45141 |
