npm package
droppy
pkg:npm/droppy
Vulnerabilities (2)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-7757 | Med | 6.5 | <= 12.2.0 | — | Nov 2, 2020 | This affects all versions of package droppy. It is possible to traverse directories to fetch configuration files from a droopy server. | |
| CVE-2016-10529 | Hig | 8.8 | < 3.5.0 | 3.5.0 | May 31, 2018 | Droppy versions <3.5.0 does not perform any verification for cross-domain websocket requests. An attacker is able to make a specially crafted page that can send requests as the context of the currently logged in user. For example this means the malicious user could add a new admi |
- affected <= 12.2.0
This affects all versions of package droppy. It is possible to traverse directories to fetch configuration files from a droopy server.
- affected < 3.5.0fixed 3.5.0
Droppy versions <3.5.0 does not perform any verification for cross-domain websocket requests. An attacker is able to make a specially crafted page that can send requests as the context of the currently logged in user. For example this means the malicious user could add a new admi