Description
Droppy versions <3.5.0 does not perform any verification for cross-domain websocket requests. An attacker is able to make a specially crafted page that can send requests as the context of the currently logged in user. For example this means the malicious user could add a new admin account under his control and delete others.
Remediation
References
https://nodesecurity.io/advisories/91
Related Vulnerabilities
CVE-2016-8608 Vulnerability in maven package org.jbpm:jbpm-designer-client
CVE-2020-24164 Vulnerability in maven package com.taoensso:nippy
CVE-2021-23771 Vulnerability in npm package notevil
CVE-2021-21364 Vulnerability in maven package io.swagger:swagger-codegen
CVE-2020-2149 Vulnerability in maven package org.jenkins-ci.plugins:repository-connector