42 matches found
OpenNebula 跨站脚本漏洞
OpenNebula is an open-source cloud computing platform developed by OpenNebula, used for managing heterogeneous distributed data center infrastructures. Version 6.10.0.1 of OpenNebula contains a cross-site scripting vulnerability. This vulnerability stems from a custom authentication driver that h...
DEBIAN-CVE-2026-40895
follow-redirects is an open source, drop-in replacement for Node's http and https modules that automatically follows redirects. Prior to 1.16.0, when an HTTP request follows a cross-domain redirect 301/302/307/308, follow-redirects only strips authorization, proxy-authorization, and cookie header...
CVE-2026-40895
follow-redirects is an open source, drop-in replacement for Node's http and https modules that automatically follows redirects. Prior to 1.16.0, when an HTTP request follows a cross-domain redirect 301/302/307/308, follow-redirects only strips authorization, proxy-authorization, and cookie header...
CVE-2026-40895 follow-redirects: Custom Authentication Headers Leaked to Cross-Domain Redirect Targets
follow-redirects is an open source, drop-in replacement for Node's http and https modules that automatically follows redirects. Prior to 1.16.0, when an HTTP request follows a cross-domain redirect 301/302/307/308, follow-redirects only strips authorization, proxy-authorization, and cookie header...
CVE-2026-40895 follow-redirects: Custom Authentication Headers Leaked to Cross-Domain Redirect Targets
follow-redirects is an open source, drop-in replacement for Node's http and https modules that automatically follows redirects. Prior to 1.16.0, when an HTTP request follows a cross-domain redirect 301/302/307/308, follow-redirects only strips authorization, proxy-authorization, and cookie header...
EUVD-2026-24472
follow-redirects is an open source, drop-in replacement for Node's http and https modules that automatically follows redirects. Prior to 1.16.0, when an HTTP request follows a cross-domain redirect 301/302/307/308, follow-redirects only strips authorization, proxy-authorization, and cookie header...
CVE-2026-40895
The CVE-2026-40895 entry concerns the open-source follow-redirects package (Node.js http/https replacement). Before version 1.16.0, HTTP requests that followed cross-domain redirects could forward custom authentication headers (e.g., X-API-Key, X-Auth-Token, Api-Key, Token) to the redirect target...
CVE-2026-40895
follow-redirects is an open source, drop-in replacement for Node's http and https modules that automatically follows redirects. Prior to 1.16.0, when an HTTP request follows a cross-domain redirect 301/302/307/308, follow-redirects only strips authorization, proxy-authorization, and cookie header...
PT-2026-34171
follow-redirects is an open source, drop-in replacement for Node's http and https modules that automatically follows redirects. Prior to 1.16.0, when an HTTP request follows a cross-domain redirect 301/302/307/308, follow-redirects only strips authorization, proxy-authorization, and cookie header...
follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets
Summary When an HTTP request follows a cross-domain redirect 301/302/307/308, follow-redirects only strips authorization, proxy-authorization, and cookie headers matched by regex at index.js:469-476. Any custom authentication header e.g., X-API-Key, X-Auth-Token, Api-Key, Token is forwarded...
GHSA-R4Q5-VMMM-2653 follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets
Summary When an HTTP request follows a cross-domain redirect 301/302/307/308, follow-redirects only strips authorization, proxy-authorization, and cookie headers matched by regex at index.js:469-476. Any custom authentication header e.g., X-API-Key, X-Auth-Token, Api-Key, Token is forwarded...
CVE-2022-27244
An issue was discovered in MISP before 2.4.156. A malicious site administrator could store an XSS payload in the custom auth name. This would be executed each time the administrator modifies a user...
PT-2025-44917
Name of the Vulnerable Software and Affected Versions CE21 Suite plugin for WordPress versions prior to 2.3.2 Description The CE21 Suite plugin for WordPress is susceptible to sensitive information exposure through the log file. This allows unauthenticated attackers to extract sensitive data,...
Multi-Factor Authentication in Spring Security 7
In 2013, it was proposed to add multi-factor authentication into Spring Security. That was the year that “selfie” was added to the English dictionary and “What Does the Fox Say?” was a viral YouTube hit. Needless to say, one of the biggest features in Spring Security 7 is a long time coming, and ...
Malicious code in eslint-plugin-custom-msal-w (npm)
The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware e152a7488bd0f7129231f38c46e92a0a1163247faac591a269193b2b08231736 Any computer that has this package installed or running should be considered...
EUVD-2022-31753
Malicious code in bioql PyPI...
EUVD-2024-52841
Malicious code in bioql PyPI...
EUVD-2022-3531
Malicious code in bioql PyPI...
CVE-2024-58267 Rancher CLI SAML authentication is vulnerable to phishing attacks
A vulnerability has been identified within Rancher Manager whereby the SAML authentication from the Rancher CLI tool is vulnerable to phishing attacks. The custom authentication protocol for SAML-based providers can be abused to steal Rancher’s authentication tokens...
djoser Authentication Bypass
Versions of the package djoser before 2.3.0 are vulnerable to Authentication Bypass when the authenticate function fails. This is because the system falls back to querying the database directly, granting access to users with valid credentials, and eventually bypassing custom authentication checks...