13 matches found
MAL-2026-4858 Malicious code in @service-user-notifications/set_refresh_interval (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware b13124f8eaabc2481894f69a70d43e10c28911bd5e2ef7e23716ae26b1113f5f Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the GitHub OAuth callback handler when the refreshInterval query parameter is embedded verbatim into an error message and rendered unescaped into HTML. An attacker can execute arbitrary JavaScript in the...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the GitHub OAuth callback handler when the refreshInterval query parameter is embedded verbatim into an error message and rendered unescaped into HTML. An attacker can execute arbitrary JavaScript in the...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the GitHub OAuth callback handler when the refreshInterval query parameter is embedded verbatim into an error message and rendered unescaped into HTML. An attacker can execute arbitrary JavaScript in the...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the GitHub OAuth callback handler when the refreshInterval query parameter is embedded verbatim into an error message and rendered unescaped into HTML. An attacker can execute arbitrary JavaScript in the...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the GitHub OAuth callback handler when the refreshInterval query parameter is embedded verbatim into an error message and rendered unescaped into HTML. An attacker can execute arbitrary JavaScript in the...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the GitHub OAuth callback handler when the refreshInterval query parameter is embedded verbatim into an error message and rendered unescaped into HTML. An attacker can execute arbitrary JavaScript in the...
CVE-2026-40302
CVE-2026-40302 affects zrok prior to v2.0.1. The proxyUi template engine used Go's text/template (no HTML escaping), leading to reflected XSS via an attacker-controlled refreshInterval error rendered in the GitHub OAuth callback. An attacker can send a crafted login URL; after OAuth completes, th...
zrok 安全漏洞
Zrok is a secure internet sharing tool developed by OpenZiti. Versions of Zrok prior to 2.0.1 contained security vulnerabilities. These vulnerabilities stemmed from the use of the text/template template engine without proper escaping of the refreshInterval parameter, which could lead to cross-sit...
zrok: Reflected XSS in GitHub OAuth callback via unsanitized refreshInterval error rendering
Summary The proxyUi template engine uses Go's text/template which performs no HTML escaping instead of html/template. The GitHub OAuth callback handlers in both publicProxy and dynamicProxy embed the attacker-controlled refreshInterval query parameter verbatim into an error message when...
PT-2026-33378
Summary The proxyUi template engine uses Go's text/template which performs no HTML escaping instead of html/template. The GitHub OAuth callback handlers in both publicProxy and dynamicProxy embed the attacker-controlled refreshInterval query parameter verbatim into an error message when...
GO-2024-2744 Access control change may take longer than expected in github.com/authelia/authelia/v4
If the file authentication backend is being used, the ewatch option is set to true, the refresh interval is configured to a non-disabled value, and an administrator changes a user's groups, then that user may be able to access resources that their previous groups had access to...
GHSA-X883-2VMG-XWF7 Authelia's Group Changes may not have the expected results (YAML file backend)
Impact Under very specific conditions changes to a users groups may not have the expected results. The specific conditions are: The file authentication backend is being used. The watch option is set to true. The refreshinterval is configured to a non-disabled value. The users groups are adjusted ...