11 matches found
EUVD-2024-1419
Malicious code in bioql PyPI...
Inclusion of Untrusted polyfill.io Code Vulnerability in fides.js
Note On Thursday, June 27, 2024, Cloudflare and Namecheap intervened at a domain level to ensure polyfill.io and its subdomains could not resolve to the compromised service, rendering this vulnerability unexploitable. The following sections describe this vulnerability prior to the domain level...
CVE-2024-38537 Inclusion of Untrusted polyfill.io Code Vulnerability in fides.js
Fides is an open-source privacy engineering platform. fides.js, a client-side script used to interact with the consent management features of Fides, used the polyfill.io domain in a very limited edge case, when it detected a legacy browser such as IE11 that did not support the fetch standard...
CVE-2024-38537 Inclusion of Untrusted polyfill.io Code Vulnerability in fides.js
Fides is an open-source privacy engineering platform. fides.js, a client-side script used to interact with the consent management features of Fides, used the polyfill.io domain in a very limited edge case, when it detected a legacy browser such as IE11 that did not support the fetch standard...
CVE-2024-38537 Inclusion of Untrusted polyfill.io Code Vulnerability in fides.js
Fides is an open-source privacy engineering platform. fides.js, a client-side script used to interact with the consent management features of Fides, used the polyfill.io domain in a very limited edge case, when it detected a legacy browser such as IE11 that did not support the fetch standard...
GHSA-CG34-W3FM-82H3 Duplicate Advisory: Scrapy leaks the authorization header on same-domain but cross-origin redirects
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-4qqq-9vqf-3h3f. This link is maintained to preserve external references. Original Description In scrapy/scrapy, an issue was identified where the Authorization header is not removed during redirects that only...
PYSEC-2024-258
In scrapy/scrapy, an issue was identified where the Authorization header is not removed during redirects that only change the scheme e.g., HTTPS to HTTP but remain within the same domain. This behavior contravenes the Fetch standard, which mandates the removal of Authorization headers in...
PYSEC-2024-258
In scrapy/scrapy, an issue was identified where the Authorization header is not removed during redirects that only change the scheme e.g., HTTPS to HTTP but remain within the same domain. This behavior contravenes the Fetch standard, which mandates the removal of Authorization headers in...
DEBIAN-CVE-2024-1968
In scrapy/scrapy, an issue was identified where the Authorization header is not removed during redirects that only change the scheme e.g., HTTPS to HTTP but remain within the same domain. This behavior contravenes the Fetch standard, which mandates the removal of Authorization headers in...
CVE-2024-1968
CVE-2024-1968 affects Scrapy’s redirect middleware, specifically the _build_redirect_request path, where the Authorization header is not stripped when a redirect downgrades from HTTPS to HTTP within the same domain. This can leak credentials in plaintext during cross-origin-like redirects that ch...
CVE-2024-1968 Authorization Header Leakage in scrapy/scrapy on Scheme Change Redirects
In scrapy/scrapy, an issue was identified where the Authorization header is not removed during redirects that only change the scheme e.g., HTTPS to HTTP but remain within the same domain. This behavior contravenes the Fetch standard, which mandates the removal of Authorization headers in...