Lucene search
K

46 matches found

OSV
OSV
added 2025/08/14 1:3 p.m.8 views

SUSE-SU-2025:01326-1 Security update for pgadmin4

This update for pgadmin4 fixes the following issues: - CVE-2025-27152: Fixed SSRF and creadential leakage due to requests sent to absolute URL even when baseURL is set bsc1239308 - CVE-2023-1907: Fixed an issue which could result in users being authenticated in another user's session if two users...

8.7CVSS6.7AI score0.01471EPSS
Exploits2References7
SUSE Linux
SUSE Linux
added 2025/04/14 7:6 a.m.1 views

Security update for pgadmin4

This update for pgadmin4 fixes the following issues: CVE-2025-27152: axios: Fixed SSRF and creadential leakage due to requests sent to absolute URL even when baseURL is set bsc1239308 Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST...

8.7CVSS7AI score0.00759EPSS
Exploits1References4
OSV
OSV
added 2025/03/07 3:16 p.m.1 views

GHSA-JR5F-V2JV-69X6 axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL

Summary A previously reported issue in axios demonstrated that using protocol-relative URLs could lead to SSRF Server-Side Request Forgery. Reference: axios/axios6463 A similar problem that occurs when passing absolute URLs rather than protocol-relative URLs to axios has been identified. Even if...

8.7CVSS6.6AI score0.00759EPSS
Exploits1References8
Github Security Blog
Github Security Blog
added 2025/03/07 3:16 p.m.53 views

axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL

Summary A previously reported issue in axios demonstrated that using protocol-relative URLs could lead to SSRF Server-Side Request Forgery. Reference: axios/axios6463 A similar problem that occurs when passing absolute URLs rather than protocol-relative URLs to axios has been identified. Even if...

8.7CVSS6.7AI score0.00759EPSS
Exploits1References8Affected Software1
Cvelist
Cvelist
added 2025/03/07 3:13 p.m.242 views

CVE-2025-27152 Possible SSRF and Credential Leakage via Absolute URL in axios Requests

axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue...

8.7CVSS0.00759EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2025/03/07 3:13 p.m.14 views

CVE-2025-27152 Possible SSRF and Credential Leakage via Absolute URL in axios Requests

axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue...

8.7CVSS6.9AI score0.00759EPSS
Exploits1References2
Debian CVE
Debian CVE
added 2025/03/07 3:13 p.m.52 views

CVE-2025-27152

axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue...

8.7CVSS6.3AI score0.00759EPSS
Exploits1
OSV
OSV
added 2023/12/08 11:45 p.m.6 views

CVE-2023-49799 Server-Side Request Forgery in nuxt-api-party

nuxt-api-party is an open source module to proxy API requests. nuxt-api-party attempts to check if the user has passed an absolute URL to prevent the aforementioned attack. This has been recently changed to use the regular expression ^https?://, however this regular expression can be bypassed by ...

7.5CVSS7.4AI score0.00819EPSS
Exploits1References7
Tenable Nessus
Tenable Nessus
added 2022/10/01 12:0 a.m.66 views

Oracle Linux 7 : squid (ELSA-2022-22254)

The remote Oracle Linux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2022-22254 advisory. - 7:4.11-3.0.1 Tenable has extracted the preceding description block directly from the Oracle Linux security advisory. Note that Nessus has not tested...

9.8CVSS6.9AI score0.04302EPSS
Exploits0References4
Cvelist
Cvelist
added 2022/08/12 12:0 a.m.33 views

CVE-2022-35949 `undici.request` vulnerable to SSRF using absolute URL on `pathname`

undici is an HTTP/1.1 client, written from scratch for Node.js.undici is vulnerable to SSRF Server-side Request Forgery when an application takes in user input into the path/pathname option of undici.request. If a user specifies a URL such as http://127.0.0.1 or //127.0.0.1 js const undici =...

5.3CVSS9.5AI score0.01388EPSS
Exploits1References3
Hacker One
Hacker One
added 2022/08/09 1:51 p.m.85 views

Internet Bug Bounty: [CVE-2022-35949]: undici.request vulnerable to SSRF using absolute / protocol-relative URL on pathname

GHSA: https://github.com/nodejs/undici/security/advisories/GHSA-8qr4-xgw6-wmr3 Report: https://hackerone.com/reports/1642017 Impact SSRF...

7.5CVSS8.9AI score0.01388EPSS
Exploits1
Veracode
Veracode
added 2022/01/18 1:45 a.m.32 views

Open Redirect

flasksecuritytoo is vulnerable to open redirect vulnerabilities. The vulnerability exists due to a lack of validation of the absolute URL from input...

6.1CVSS2.3AI score0.03289EPSS
Exploits0References2Affected Software2
RedhatCVE
RedhatCVE
added 2020/04/24 8:33 a.m.53 views

CVE-2019-12520

A flaw was found in squid. The absolute URL of a request can include the decoded UserInfo username and password for certain protocols. This decoded info may contain special characters to delimit the domain, and treat the rest of the URL as a path or query string. An attacker could first make a...

5CVSS1.8AI score0.03935EPSS
Exploits0References4
OSV
OSV
added 2020/04/15 8:15 p.m.27 views

CVE-2019-12520

An issue was discovered in Squid through 4.7 and 5. When receiving a request, Squid checks its cache to see if it can serve up a response. It does this by making a MD5 hash of the absolute URL of the request. If found, it servers the request. The absolute URL can include the decoded UserInfo...

7.5CVSS6.6AI score0.03935EPSS
Exploits0References8
UbuntuCve
UbuntuCve
added 2020/04/15 8:15 p.m.40 views

CVE-2019-12520

An issue was discovered in Squid through 4.7 and 5. When receiving a request, Squid checks its cache to see if it can serve up a response. It does this by making a MD5 hash of the absolute URL of the request. If found, it servers the request. The absolute URL can include the decoded UserInfo...

7.5CVSS6.7AI score0.03935EPSS
Exploits0References7
Debian CVE
Debian CVE
added 2020/04/15 7:14 p.m.30 views

CVE-2019-12520

An issue was discovered in Squid through 4.7 and 5. When receiving a request, Squid checks its cache to see if it can serve up a response. It does this by making a MD5 hash of the absolute URL of the request. If found, it servers the request. The absolute URL can include the decoded UserInfo...

7.5CVSS6.5AI score0.03935EPSS
Exploits0
Cvelist
Cvelist
added 2020/01/02 4:7 p.m.40 views

CVE-2013-4752

Symfony 2.0.X before 2.0.24, 2.1.X before 2.1.12, 2.2.X before 2.2.5, and 2.3.X before 2.3.3 have an issue in the HttpFoundation component. The Host header can be manipulated by an attacker when the framework is generating an absolute URL. A remote attacker could exploit this vulnerability to...

6.3AI score0.02313EPSS
Exploits0References15
Amazon
Amazon
added 2019/05/16 12:0 a.m.24 views

Important: mod_auth_mellon

Issue Overview: A vulnerability was found in a previous version of modauthmellon. An open redirect in the logout URL allows requests with backslashes to pass through by assuming that it is a relative URL, while the browsers silently convert backslash characters into forward slashes treating them ...

8.1CVSS7.1AI score0.02969EPSS
Exploits1
NVD
NVD
added 2019/03/27 1:29 p.m.20 views

CVE-2019-3877

A vulnerability was found in modauthmellon before v0.14.2. An open redirect in the logout URL allows requests with backslashes to pass through by assuming that it is a relative URL, while the browsers silently convert backslash characters into forward slashes treating them as an absolute URL. Thi...

6.1CVSS6.4AI score0.02131EPSS
Exploits0References8
OSV
OSV
added 2019/03/27 1:29 p.m.32 views

CVE-2019-3877

A vulnerability was found in modauthmellon before v0.14.2. An open redirect in the logout URL allows requests with backslashes to pass through by assuming that it is a relative URL, while the browsers silently convert backslash characters into forward slashes treating them as an absolute URL. Thi...

6.1CVSS6.5AI score0.02131EPSS
Exploits0References8
Rows per page
Query Builder