Security
Headlines
HeadlinesLatestCVEs

Tag

#git

GHSA-j2hp-6m75-v4j4: imgproxy is vulnerable to SSRF against 0.0.0.0

### Summary Imgproxy does not block the `0.0.0.0` address, even with `IMGPROXY_ALLOW_LOOPBACK_SOURCE_ADDRESSES` set to false. This can expose services on the local host. ### Details imgproxy protects against SSRF against a loopback address with the following check ([source](https://github.com/imgproxy/imgproxy/blob/0f37d62fd8326a32c213b30dd52e2319770885d8/security/source.go#L43C1-L47C1)): ``` if !config.AllowLoopbackSourceAddresses && ip.IsLoopback() { return ErrSourceAddressNotAllowed } ``` This check is insufficient to prevent accessing services on the local host, as services may receive traffic on `0.0.0.0`. Go's `IsLoopback` ([source](https://github.com/golang/go/blob/40b3c0e58a0ae8dec4684a009bf3806769e0fc41/src/net/ip.go#L126-L131)) strictly follows the definition of loopback IPs beginning with `127`. `0.0.0.0` is not blocked.

ghsa
Open in Source
#git#ssrf
About Authentication Bypass – FortiOS (CVE-2024-55591) vulnerability

About Authentication Bypass – FortiOS (CVE-2024-55591) vulnerability. A critical flaw allows remote attackers to gain super-admin privileges via crafted requests to the Node.js websocket module. Affected systems include Fortinet devices running FortiOS (e.g., FortiGate NGFW) and FortiProxy. 🔹 On January 10, Arctic Wolf reported attacks on Fortinet devices that began in November 2024. Attackers create […]

Brave Desktop Browser Vulnerability Lets Malicious Sites Appear Trusted

A critical vulnerability in Brave Browser allows malicious websites to appear as trusted sources during file uploads/downloads. Learn…

Royal Mail SMS Phishing Scam Targets Victims with Fake Delivery Fee Requests

Beware of a convincing Royal Mail SMS phishing scam asking for personal details and payment for re-delivery. Learn…

The Case for Proactive, Scalable Data Protection

Whether you're facing growing data demands and increased cyber threats, or simply looking to future-proof your business, it's time to consider the long-term benefits of transitioning to a cloud-first infrastructure.

UnitedHealth almost doubles victim numbers from massive Change Healthcare data breach

UnitedHealth now estimates that 190 million people were affected by the massive Change Healthcare data breach nearly a year ago.

GitHub Desktop Vulnerability Risks Credential Leaks via Malicious Remote URLs

Multiple security vulnerabilities have been disclosed in GitHub Desktop as well as other Git-related projects that, if successfully exploited, could permit an attacker to gain unauthorized access to a user's Git credentials. "Git implements a protocol called Git Credential Protocol to retrieve credentials from the credential helper," GMO Flatt Security researcher Ry0taK, who discovered the flaws

GHSA-gvvw-rr8m-fj76: uniapi version 1.0.7 contained an information harvesting script.

uniapi version 1.0.7 introduces code that would execute on import of the module and download a script from a remote URL, and would then execute the downloaded script in a thread. The downloaded script would harvest system information and `POST` the information to another remote URL. This code was found in the PyPI release artifacts and was not present in the public GitHub repository.

GHSA-4gf7-ff8x-hq99: Opening a malicious website while running a Nuxt dev server could allow read-only access to code

### Summary Source code may be stolen during dev when using webpack / rspack builder and you open a malicious web site. ### Details Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject `<script src="http://localhost:3000/_nuxt/app.js">` in their site and run the script. By using `Function::toString` against the values in `window.webpackChunknuxt_app`, the attacker can get the source code. ### PoC 1. Create a nuxt project with webpack / rspack builder. 1. Run `npm run dev` 1. Open `http://localhost:3000` 1. Run the script below in a web site that has a different origin. 1. You can see the source code output in the document and the devtools console. ```js const script = document.createElement('script') script.src = 'http://localhost:3000/_nuxt/app.js' script.addEventListener('load', () => { for (const page in window.webpackChunknuxt_app) { const moduleList = window.webpackChunknuxt_app[page][1] console.log(module...

GHSA-2452-6xj8-jh47: Opening a malicious website while running a Nuxt dev server could allow read-only access to code

### Summary Nuxt allows any websites to send any requests to the development server and read the response due to default CORS settings. ### Details While Vite patched the default CORS settings to fix https://github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6, nuxt uses its own CORS handler by default (https://github.com/nuxt/nuxt/pull/23995). https://github.com/nuxt/nuxt/blob/7d345c71462d90187fd09c96c7692f306c90def5/packages/vite/src/client.ts#L257-L263 That CORS handler sets `Access-Control-Allow-Origin: *`. > [!IMPORTANT] > If on an affected version, it may be possible to opt-out of the default Nuxt CORS handler by configuring `vite.server.cors`. ### PoC 1. Start a dev server in any nuxt project using Vite by `nuxt dev`. 2. Send a fetch request to `http://localhost:3000/_nuxt/app.vue` (`fetch('http://localhost:3000/_nuxt/app.vue')`) from a different origin page. ### Impact Users with the default server.cors option using Vite builder may get the source code stolen ...