Lucene search
K

52 matches found

OSV
OSV
added 2025/11/26 10:18 p.m.9 views

CVE-2025-66035 Angular HTTP Client Has XSRF Token Leakage via Protocol-Relative URLs

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.16, 20.3.14, and 21.0.1, there is a XSRF token leakage via protocol-relative URLs in angular HTTP clients. The vulnerability is a Credential...

7.7CVSS6.6AI score0.00572EPSS
Exploits0References9
OSV
OSV
added 2025/10/30 10:15 p.m.4 views

CVE-2024-14006

Nagios XI versions prior to 2024R1.2.2 contain a host header injection vulnerability. The application trusts the user-supplied HTTP Host header when constructing absolute URLs without sufficient validation. An unauthenticated, remote attacker can supply a crafted Host header to poison generated...

6.1CVSS5.9AI score0.00433EPSS
Exploits0References3
EUVD
EUVD
added 2025/10/07 12:30 a.m.7 views

EUVD-2021-1397

Malware in sbrugna...

6.1CVSS6.2AI score0.0115EPSS
Exploits1References5
EUVD
EUVD
added 2025/10/03 8:7 p.m.3 views

EUVD-2025-7731

Malicious code in bioql PyPI...

8.7CVSS6.1AI score0.00759EPSS
Exploits1References7
EUVD
EUVD
added 2025/10/03 8:7 p.m.5 views

EUVD-2025-26876

Malicious code in bioql PyPI...

7.5CVSS6.3AI score0.00498EPSS
Exploits0References3
IBM Security Bulletins
IBM Security Bulletins
added 2025/09/29 7:23 a.m.4 views

Security Bulletin: Axios before 1.8.2 allows SSRF and credential leakage when using absolute URLs despite baseURL setting

Summary axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This...

8.7CVSS6.4AI score0.00759EPSS
Exploits1Affected Software1
Veracode
Veracode
added 2025/03/12 10:23 a.m.5 views

Server-Side Request Forgery (SSRF)

Axios is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to improper handling of absolute URLs, which causes axios to send requests directly to the specified absolute URL instead of respecting the baseURL, potentially leading to SSRF and exposing sensitive credentials...

8.7CVSS6.2AI score0.00759EPSS
Exploits1References5Affected Software1
Snyk
Snyk
added 2025/03/11 11:27 a.m.1 views

Server-side Request Forgery (SSRF)

Overview org.webjars.npm:axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF due to not setting allowAbsoluteUrls to false by default when processing a requested URL in buildFullPath. It may not be...

8.7CVSS6.9AI score0.00759EPSS
Exploits1References2
Snyk
Snyk
added 2025/03/11 11:27 a.m.4 views

Server-side Request Forgery (SSRF)

Overview org.webjars.bowergithub.axios:axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF due to not setting allowAbsoluteUrls to false by default when processing a requested URL in buildFullPath. ...

8.7CVSS6.8AI score0.00759EPSS
Exploits1References2
RedhatCVE
RedhatCVE
added 2025/03/09 3:28 p.m.8 views

CVE-2025-27152

axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue...

5.3CVSS6.5AI score0.00759EPSS
Exploits1References5
NVD
NVD
added 2025/03/07 4:15 p.m.18 views

CVE-2025-27152

axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue...

8.7CVSS0.00759EPSS
Exploits1References2
OSV
OSV
added 2025/03/07 4:15 p.m.1 views

DEBIAN-CVE-2025-27152

axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue...

5.3CVSS6.3AI score0.00759EPSS
Exploits1References1
CNNVD
CNNVD
added 2025/03/07 12:0 a.m.1 views

Axios 代码问题漏洞

Axios is an HTTP client based on Promise a solution for asynchronous programming from the Axios open source. A code issue vulnerability exists in Axios versions prior to 1.8.2 that stems from passing absolute URLs could lead to SSRF and credential disclosure...

8.7CVSS6.3AI score0.00759EPSS
Exploits1References5
Snyk
Snyk
added 2025/03/01 12:3 a.m.1 views

Server-side Request Forgery (SSRF)

Overview org.webjars.bowergithub.axios:axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF due to the allowAbsoluteUrls attribute being ignored in the call to the buildFullPath function from the HTT...

8.7CVSS6.7AI score0.00759EPSS
Exploits1References2
Snyk
Snyk
added 2025/03/01 12:3 a.m.2 views

Server-side Request Forgery (SSRF)

Overview org.webjars.bower:axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF due to the allowAbsoluteUrls attribute being ignored in the call to the buildFullPath function from the HTTP adapter. A...

8.7CVSS7.4AI score0.00759EPSS
Exploits1References2
Snyk
Snyk
added 2025/03/01 12:3 a.m.5 views

Server-side Request Forgery (SSRF)

Overview org.webjars.npm:axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF due to the allowAbsoluteUrls attribute being ignored in the call to the buildFullPath function from the HTTP adapter. An...

8.7CVSS6.8AI score0.00759EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2025/02/24 8:49 p.m.16 views

Better Auth allows bypassing the trustedOrigins Protection which leads to ATO

Summary A bypass was discovered in the trustedOrigins validation logic—affecting both absolute URL entries and wildcard domain patterns. This flaw allows an attacker to construct a malicious callbackURL that passes origin checks and triggers an open redirect. Because redirect endpoints include...

6.9AI score
Exploits0References4Affected Software1
OSV
OSV
added 2024/05/30 8:0 p.m.9 views

GHSA-MXJF-HC9V-XGV2 ExtJS JavaScript framework used in TYPO3 vulnerable to Cross-site Scripting

Failing to properly validate the HTTP host-header TYPO3 CMS is susceptible to host spoofing. TYPO3 uses the HTTP host-header to generate absolute URLs in several places like 404 handling, https enforcement, password reset links and many more. Since the host header itself is provided by the client...

6.1CVSS7.2AI score
Exploits0References8
Github Security Blog
Github Security Blog
added 2024/05/30 8:0 p.m.17 views

ExtJS JavaScript framework used in TYPO3 vulnerable to Cross-site Scripting

Failing to properly validate the HTTP host-header TYPO3 CMS is susceptible to host spoofing. TYPO3 uses the HTTP host-header to generate absolute URLs in several places like 404 handling, https enforcement, password reset links and many more. Since the host header itself is provided by the client...

7.2AI score
Exploits0References8Affected Software1
OSV
OSV
added 2023/12/12 12:49 a.m.9 views

GHSA-3WFP-253J-5JXV SSRF & Credentials Leak

Summary nuxt-api-party allows developers to proxy requests to an API without exposing credentials to the client. A previous vulnerability allowed an attacker to change the baseURL of the request, potentially leading to credentials being leaked or SSRF. This vulnerability is similar, and was cause...

7.5CVSS7.4AI score0.00819EPSS
Exploits1References8
Rows per page
Query Builder