Description
Droppy versions <3.5.0 does not perform any verification for cross-domain websocket requests. An attacker is able to make a specially crafted page that can send requests as the context of the currently logged in user. For example this means the malicious user could add a new admin account under his control and delete others.
Remediation
References
https://nodesecurity.io/advisories/91
Related Vulnerabilities
CVE-2022-43404 Vulnerability in maven package org.jenkins-ci.plugins:script-security
CVE-2023-24057 Vulnerability in maven package org.hl7.fhir.publisher:org.hl7.fhir.publisher.core
CVE-2018-3750 Vulnerability in npm package deep-extend
CVE-2020-6831 Vulnerability in maven package org.webjars.npm:electron
CVE-2019-0199 Vulnerability in maven package org.apache.tomcat:tomcat-catalina