Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure via the server.auth.URL function. An attacker can obtain authentication tokens and circumvent access controls by supplying a crafted realm value in the WWW-Authenticate header returned from the /api/pull endpoint...

OESA-2025-1766 etcd security update

%expand: Security Fixes: Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.CVE-2025-4673...

Medium: oci-add-hooks

Issue Overview: Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information. CVE-2025-4673 Affected Packages: oci-add-hooks Note: This advisory is applicable to Amazon Linux 2 - Nitro-enclaves Extra. Visit this page to learn mor...

net/http: Sensitive headers not cleared on cross-origin redirect in net/http

A flaw was found in net/http. Handling Proxy-Authorization and Proxy-Authenticate headers during cross-origin redirects allows these headers to be inadvertently forwarded, potentially exposing sensitive authentication credentials. This flaw allows a network-based attacker to manipulate redirect...

net/http: Sensitive headers not cleared on cross-origin redirect in net/http

A flaw was found in net/http. Handling Proxy-Authorization and Proxy-Authenticate headers during cross-origin redirects allows these headers to be inadvertently forwarded, potentially exposing sensitive authentication credentials. This flaw allows a network-based attacker to manipulate redirect...

CVE-2025-4673 Sensitive headers not cleared on cross-origin redirect in net/http

Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information...

CVE-2025-4673

Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information...

SUSE CVE-2025-4673

Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information...

CVE-2020-12789

The Secure Monitor in Microchip Atmel ATSAMA5 products use a hardcoded key to encrypt and authenticate secure applets...

SUSE CVE-2025-4476

A denial-of-service vulnerability has been identified in the libsoup HTTP client library. This flaw can be triggered when a libsoup client receives a 401 Unauthorized HTTP response containing a specifically crafted domain parameter within the WWW-Authenticate header. Processing this malformed...

AZL-61910 CVE-2025-4476 affecting package libsoup for versions less than 3.4.4-7

A denial-of-service vulnerability has been identified in the libsoup HTTP client library. This flaw can be triggered when a libsoup client receives a 401 Unauthorized HTTP response containing a specifically crafted domain parameter within the WWW-Authenticate header. Processing this malformed...

MAL-2025-3925 Malicious code in vue-gop-authenticate (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware b5f8092f5dd68ba9b719ca6f042e84c396704214bdaff421ce3f8b933fa7e302 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in vue-gop-authenticate (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware b5f8092f5dd68ba9b719ca6f042e84c396704214bdaff421ce3f8b933fa7e302 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

libsoup 代码问题漏洞

libsoup is a GNOME HTTP client/server library from the GNOME Project. A code issue vulnerability exists in libsoup, which stems from the fact that handling certain constructs of the WWW-Authenticate header may cause a client application to crash, potentially leading to a denial of service attack...

Insufficient Session Expiration

Overview Affected versions of this package are vulnerable to Insufficient Session Expiration through the Session API. An attacker can authenticate on behalf of the user by repeatedly using idp intents to retrieve the id and token from the application's URI. Remediation Upgrade...

SUSE CVE-2025-37778

In the Linux kernel, the following vulnerability has been resolved: ksmbd: Fix dangling pointer in krbauthenticate krbauthenticate frees sess-user and does not set the pointer to NULL. It calls ksmbdkrb5authenticate to reinitialise sess-user but that function may return without doing so. If that...

Exploit for CVE-2025-492030

CVE-2025-492030 Security Advisory: CVE-2025-492030 Overv...

CVE-2025-32359

In Zammad 6.4.x before 6.4.2, there is client-side enforcement of server-side security. When changing their two factor authentication configuration, users need to re-authenticate with their current password first. However, this change was enforced in Zammad only on the front end level, and not wh...

CVE-2025-29928 authentik's deletion of sessions did not revoke sessions when using database session storage

authentik is an open-source identity provider. Prior to versions 2024.12.4 and 2025.2.3, when authentik was configured to use the database for session storage which is a non-default setting, deleting sessions via the Web Interface or the API would not revoke the session and the session holder wou...

CVE-2025-1666

CVE-2025-1666 refers to the WordPress cookie banner plugin Cookiebot CMP by Usercentrics. The Red Hat entry and Wordfence coverage confirm a vulnerability caused by a missing capability check in send_uninstall_survey() affecting all versions up to 4.4.1, allowing authenticated attackers with Subs...