CVE-2023-41338

The CVE-2023-41338 issue affects gofiber (Fiber) prior to v2.49.2 where ctx.IsFromLocal() may return true for requests with X-Forwarded-For: 127.0.0.1, allowing access to localhost-scoped resources. Root cause: improper handling of the X-Forwarded-For header in the Ctx.IsFromLocal logic, enabling...

CVE-2023-41338 Vulnerability in Ctx.IsFromLocal() in gofiber

Fiber is an Express inspired web framework built in the go language. Versions of gofiber prior to 2.49.2 did not properly restrict access to localhost. This issue impacts users of our project who rely on the ctx.IsFromLocal method to restrict access to localhost requests. If exploited, it could...

CVE-2023-41338 Vulnerability in Ctx.IsFromLocal() in gofiber

Fiber is an Express inspired web framework built in the go language. Versions of gofiber prior to 2.49.2 did not properly restrict access to localhost. This issue impacts users of our project who rely on the ctx.IsFromLocal method to restrict access to localhost requests. If exploited, it could...

GHSA-3Q5P-3558-364F Fiber unauthorized access vulnerability in `ctx.IsFromLocal()`

Impact This vulnerability can be categorized as a security misconfiguration. It impacts users of our project who rely on the ctx.IsFromLocal method to restrict access to localhost requests. If exploited, it could allow unauthorized access to resources intended only for localhost. In it's...

Fiber unauthorized access vulnerability in `ctx.IsFromLocal()`

Impact This vulnerability can be categorized as a security misconfiguration. It impacts users of our project who rely on the ctx.IsFromLocal method to restrict access to localhost requests. If exploited, it could allow unauthorized access to resources intended only for localhost. In it's...

PT-2023-27914 · Gofiber · Gofiber

Name of the Vulnerable Software and Affected Versions: gofiber versions prior to 2.49.2 Description: The issue impacts users who rely on the ctx.IsFromLocal method to restrict access to localhost requests. If exploited, it could allow unauthorized access to resources intended only for localhost...

Fiber Security Breach

Fiber is an open source web framework written in the Go language. A security vulnerability exists in Fiber versions prior to 2.49.1 that stems from not properly restricting access to localhost, which could allow an unauthorized attacker to access resources supplied to the localhost only...

AtlasVPN Linux Client 1.0.3 IP Leak Vulnerability

Remote disconnect exploit for AtlasVPN Linux client version 1.0.3 that will allow a remote website to extract a client's real IP address. The following is my 0day. This code, when executed on any website, disconnects the AtlasVPN linux client and leaks the users IP address. I am not yet aware of ...

CSZ CMS 1.3.0 - Stored Cross-Site Scripting (Plugin Gallery) Vulnerability

Exploit Title: CSZ CMS 1.3.0 - Stored Cross-Site Scripting Plugin 'Gallery' CVE: CVE-2023-38911 Exploit Author: Daniel González Vendor Homepage: https://www.cszcms.com/ Software Link: https://github.com/cskaza/cszcms Version: 1.3.0 Tested on: CSZ CMS 1.3.0 Description: CSZ CMS 1.3.0 is affected b...

Horse Market Sell And Rent Portal Script 1.5.7 Cross Site Scripting

==================================================================================================================================== | Title : Horse Market Sell & Rent Portal Script V1.5.7 xss via file uploads Vulnerability | | Author : indoushka | | Telegram : @indoushka | | Tested on : windows ...

OVOO Movie Portal CMS 3.3.3 SQL Injection

Exploit Title: OVOO Movie Portal CMS v3.3.3 - SQL Injection Date: 2023-08-12 Exploit Author: Ahmet Ümit BAYRAM Vendor: https://codecanyon.net/item/ovoomovie-video-streaming-cms-with-unlimited-tvseries/20180569 Tested on: Kali Linux & MacOS CVE: N/A Request POST /filtermovies/1 HTTP/2 Host:...

CVE-2023-3577 Limited blind SSRF to localhost/intranet in interactive dialog implementation

Mattermost fails to properly restrict requests to localhost/intranet during the interactive dialog, which could allow an attacker to perform a limited blind SSRF...

CVE-2023-3577 Limited blind SSRF to localhost/intranet in interactive dialog implementation

Mattermost fails to properly restrict requests to localhost/intranet during the interactive dialog, which could allow an attacker to perform a limited blind SSRF...

Mattermost 代码问题漏洞

Mattermost is an open source collaboration platform from Mattermost, Inc. in the United States. A security vulnerability exists in Mattermost that stems from an improper restriction of requests to localhost/Intranet, resulting in a Server Request Forgery SSRF vulnerability...

PT-2023-25299 · Unknown · Mattermost

Name of the Vulnerable Software and Affected Versions: Mattermost affected versions not specified Description: Mattermost fails to properly restrict requests to localhost/intranet during the interactive dialog, which could allow an attacker to perform a limited blind SSRF. Recommendations: At the...

Nextcloud: Self XSS when sending HTML as a comment in the Deck app

A vulnerability was found in the Deck app comments that allowed HTML injection. This could lead to malicious script execution when a user clicked a specially crafted link. The issue was reported to the Nextcloud security team...

Exploit for Path Traversal in Icinga Icinga_Web_2

Icinga Web 2 - Authenticated Remote Code Execution 2.8.6, 2.9...

Brave browser will prevent websites from port scanning visitors

If you use Brave browser, then youre shortly going to find you have a new string added to your security bow. Websites performing port scanning will now be automatically blocked beginning with version 1.54 of the browsing tool. Port scanning, I hear you cry? Yes indeed. You may well not have even...

SUSE CVE-2023-2431

A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement. Pods that use localhost type for seccomp profile but specify an empty profile field, are affected by this issue. In this scenario, this vulnerability allows the pod to run in unconfined seccomp...

GHSA-XC8M-28VV-4PJC Kubelet vulnerable to bypass of seccomp profile enforcement

A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement. Pods that use localhost type for seccomp profile but specify an empty profile field, are affected by this issue. In this scenario, this vulnerability allows the pod to run in unconfined seccomp...