Source
ghsa
### Summary: A bypass was discovered in the `Koa.js` framework affecting its back redirect functionality. In certain circumstances, an attacker can manipulate the Referer header to force a user’s browser to navigate to an external, potentially malicious website. This occurs because the implementation incorrectly treats some specially crafted URLs as safe relative paths. Exploiting this vulnerability could allow attackers to perform phishing, social engineering, or other redirect-based attacks on users of affected applications. This vulnerability affects the code referenced in GitHub Advisory GHSA-jgmv-j7ww-jx2x (which is tracked as CVE‑2025‑54420). ### Details: The patched code attempts to treat values that `startWith('/')` as safe relative paths and only perform origin checks for absolute URLs. However, protocol‑relative URLs (those beginning with //host) also start with '/' and therefore match the startsWith('/') branch. A protocol‑relative referrer such as `//evil.com` with trai...
### Impact An issue has been discovered in Taguette versions prior to 1.5.0. It was possible for a project member to put JavaScript in name or description fields which would run on project load. ### Patches Users should upgrade to Taguette 1.5.0. ### References - https://gitlab.com/remram44/taguette/-/issues/330
### Impact An issue has been discovered in Taguette versions prior to 1.5.0. It was possible for an attacker to request password reset email containing a malicious link, allowing the attacker to set the email if clicked by the victim. ### Patches Users should upgrade to Taguette 1.5.0. ### References - https://gitlab.com/remram44/taguette/-/issues/331
### Summary In some Notification types (e.g., Webhook, Telegram), the `send()` function allows user-controlled renderTemplate input. This leads to a Server-side Template Injection (SSTI) vulnerability that can be exploited to read arbitrary files from the server. ### Details The root cause is how Uptime Kuma renders user-controlled templates via `renderTemplate()`. The function instantiates a Liquid template engine and parses the `template` argument without sanitization: ```js async renderTemplate(template, msg, monitorJSON, heartbeatJSON) { const engine = new Liquid(); const parsedTpl = engine.parse(template); // ... } ``` In some Notification flows, the `send()` implementation passes user-editable fields directly into `renderTemplate()`: ```js // webhook.js if (notification.webhookContentType === "form-data") { const formData = new FormData(); formData.append("data", JSON.stringify(data)); config.headers = formData.getHeaders(); data = formData; } ...
### Summary Files denied by [`server.fs.deny`](https://vitejs.dev/config/server-options.html#server-fs-deny) were sent if the URL ended with `\` when the dev server is running on Windows. ### Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network (using --host or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) - running the dev server on Windows ### Details `server.fs.deny` can contain patterns matching against files (by default it includes `.env`, `.env.*`, `*.{crt,pem}` as such patterns). These patterns were able to bypass by using a back slash(`\`). The root cause is that `fs.readFile('/foo.png/')` loads `/foo.png`. ### PoC ```shell npm create vite@latest cd vite-project/ cat "secret" > .env npm install npm run dev curl --request-target /.env\ http://localhost:5173 ``` <img width="1593" height="616" alt="image" src="https://github.com/user-attachments/assets/36212f4e-1d3...
NetBird VPN when installed using vendor's provided script failed to remove or change default password of an admin account created by ZITADEL. This issue affects instances installed using vendor's provided script. This issue may affect instances created with Docker if the default password was not changed nor the user was removed. This issue has been fixed in version 0.57.0.
### Summary The GoCardless components in Actualbudget in are logging responses to STDOUT in a parsed format using `console.log`and `console.debug` (Which in this version of node is an alias for `console.log`). This is exposing sensitive information in log files including, but not limited to: - Gocardless bearer tokens. - Account IBAN and Bank Account numbers. - PII of the account holder. - Transaction details (Payee bank information, Recipient account numbers, Transaction IDs)... ### Details Whenever GoCardless responds to a request, the payload is printed to the debug log: https://github.com/actualbudget/actual/blob/36c40d90d2fe09eb1f25a6e2f77f6dd40638b267/packages/sync-server/src/app-gocardless/banks/integration-bank.js#L25-L27 This in turn logs the following information to Docker (all values removed here. These fields are possibly dependent on what is returned by each institution so may differ): ```json { "account": { "resourceId": "", "iban": "", "bban": "", ...
### Impact Prototype pollution potential with the utility function `rollbar/src/utility`.`set()`. No impact when using the published public interface. If application code directly imports `set` from `rollbar/src/utility` and then calls `set` with untrusted input in the second argument, it is vulnerable to prototype pollution. POC: ```js const obj = {}; require("rollbar/src/utility").set(obj, "__proto__.polluted", "vulnerable"); console.log({}.polluted !== undefined ? '[POLLUTION_TRIGGERED]':''); ``` ### Patches Fixed in version 2.26.5 and 3.0.0-beta5. ### Workarounds If application code directly imports `set` from `rollbar/src/utility`, ensure that the second argument does not receive untrusted input. ### References https://github.com/rollbar/rollbar.js/issues/1333#issuecomment-3353720946
### Summary The JS implementation for copying button labels to the sticky header in the Citizen skin unescapes HTML characters, allowing for stored XSS through system messages. ### Details In the `copyButtonAttributes` function in `stickyHeader.js`, when copying the button labels, the `innerHTML` of the new element is set to the `textContent` of the old element: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/f4cbcecf5aca0ae69966b23d4983f9cb5033f319/resources/skins.citizen.scripts/stickyHeader.js#L29-L41 This unescapes any escaped HTML characters and causes the contents of the system messages to be interpreted as HTML. ### PoC 1. Edit any of the affected messages (`citizen-share`, `citizen-view-history`, `citizen-view-edit`, `nstab-talk`) to the following payload: `<img src="" onerror="alert('Sticky Header Button XSS')">`. 2. Visit any mainpage article in the wiki using the Citizen skin. <img width="495" height="228" alt="image" src="https://github.com/user-attachme...
Apache Syncope offers the ability to extend / customize the base behavior on every deployment by allowing to provide custom implementations of a few Java interfaces; such implementations can be provided either as Java or Groovy classes, with the latter being particularly attractive as the machinery is set for runtime reload. Such a feature has been available for a while, but recently it was discovered that a malicious administrator can inject Groovy code that can be executed remotely by a running Apache Syncope Core instance. Users are recommended to upgrade to version 3.0.14 / 4.0.2, which fix this issue by forcing the Groovy code to run in a sandbox.