67 matches found
CVE-2022-39239
Netlify-ipx is vulnerable in versions before 1.2.3 to a cache-poisoning fault that allows an attacker to bypass the source image allowlist by sending crafted headers. This can cause the handler to load and return arbitrary images, which are then cached globally and served to visitors without requ...
CVE-2022-39239 nefly-ipx subject to Server-Side Request Forgery and Stored Cross-Site Scripting via Cache Poisoning and Improper Host Validation
netlify-ipx is an on-Demand image optimization for Netlify using ipx. In versions prior to 1.2.3, an attacker can bypass the source image domain allowlist by sending specially crafted headers, causing the handler to load and return arbitrary images. Because the response is cached globally, this...
CVE-2022-39239 nefly-ipx subject to Server-Side Request Forgery and Stored Cross-Site Scripting via Cache Poisoning and Improper Host Validation
netlify-ipx is an on-Demand image optimization for Netlify using ipx. In versions prior to 1.2.3, an attacker can bypass the source image domain allowlist by sending specially crafted headers, causing the handler to load and return arbitrary images. Because the response is cached globally, this...
CVE-2022-39239 nefly-ipx subject to Server-Side Request Forgery and Stored Cross-Site Scripting via Cache Poisoning and Improper Host Validation
netlify-ipx is an on-Demand image optimization for Netlify using ipx. In versions prior to 1.2.3, an attacker can bypass the source image domain allowlist by sending specially crafted headers, causing the handler to load and return arbitrary images. Because the response is cached globally, this...
Netlify netlify-ipx 代码问题漏洞
Netlify netlify-ipx is a library from the American company Netlify. It is used for on-demand image optimization of Netlify. A code issue vulnerability exists in Netlify netlify-ipx versions prior to 1.2.3. An attacker exploiting this vulnerability could bypass the source image field allowlist by...
@netlify/ipx vulnerable to Full Response SSRF and Stored XSS via Cache Poisoning and Improper Host Validation
Impact By sending specially crafted headers an attacker can bypass the source image domain allowlist, causing the handler to load and return arbitrary images. Because the response is cached globally, this image will then be served to visitors without requiring those headers to be set. XSS can be...
@netlify/plugin-nextjs (>=4.0.0 <=4.7.0), @netlify/plugin-nextjs-experimental (>=0.0.1 <=0.0.6-alpha-tracing.2) potentially affected by CVE-2022-39239 via @netlify/ipx (>=0.0.10 <=0.0.9)
@netlify/ipx NPM version =0.0.10, =4.0.0, =0.0.1, =0.0.6-alpha-tracing.2 Source cves: CVE-2022-39239 Source advisory: OSV:GHSA-9JJV-524M-JM98...
GHSA-9JJV-524M-JM98 @netlify/ipx vulnerable to Full Response SSRF and Stored XSS via Cache Poisoning and Improper Host Validation
Impact By sending specially crafted headers an attacker can bypass the source image domain allowlist, causing the handler to load and return arbitrary images. Because the response is cached globally, this image will then be served to visitors without requiring those headers to be set. XSS can be...
PT-2022-24833 · Netlify · Netlify-Ipx
Name of the Vulnerable Software and Affected Versions: netlify-ipx versions prior to 1.2.3 Description: The issue allows an attacker to bypass the source image domain allowlist by sending specially crafted headers, causing the handler to load and return arbitrary images. Because the response is...
8x8: Subdomain Takeover at http://██.get8x8.com/
@testingforbugs reported to us a possible subdomain takeover which was achievable due to a misconfiguration of a Netlify target. The issue has been rectified...
Malicious code in netlify-gocommerce-widget (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware daf359de5ba0905071d75d7d2766b0c08ebe09383374772ba12baa19cecd3c5e Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
MAL-2022-4806 Malicious code in netlify-gocommerce-widget (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware daf359de5ba0905071d75d7d2766b0c08ebe09383374772ba12baa19cecd3c5e Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious Package
Overview bb-netlify is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if this package was...
Malicious Package
Overview netlify-bb is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if this package was...
Malicious code in netlify-testing-stuff (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware b05784f3a001a6314d0d92d3b64ec3069cde31dfa69774fd4271244ff5b619a8 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
MAL-2022-4808 Malicious code in netlify-testing-stuff (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware b05784f3a001a6314d0d92d3b64ec3069cde31dfa69774fd4271244ff5b619a8 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in netlify-swag (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 3694d55c2e008a2b19479d7d295632d06557f2c4ceede0e8a679ea19d44cbc81 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
MAL-2022-4807 Malicious code in netlify-swag (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 3694d55c2e008a2b19479d7d295632d06557f2c4ceede0e8a679ea19d44cbc81 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in netlify-build (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 1f4640a0403353f9ebe19a5623ef74481c853034db99845ee87ea8bc9f3ef0bc Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
MAL-2022-4805 Malicious code in netlify-build (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 1f4640a0403353f9ebe19a5623ef74481c853034db99845ee87ea8bc9f3ef0bc Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...