Lucene search
K

4 matches found

OSV
OSV
added 2026/06/18 5:22 p.m.9 views

GHSA-GFJ5-979R-92PW @acastellon/auth: Authentication bypass via spoofable headers in validateToken()

@acastellon/auth v2.2.0 appears to allow an unauthenticated authentication bypass in validateToken through spoofable auth-user and Host request headers. The validateToken middleware contains a service-to-service bypass for auth-user: service-brother when req.get'host'.startsWithgetHostName. Both...

9.3CVSS5.5AI score0.00543EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/06/18 5:22 p.m.26 views

@acastellon/auth: Authentication bypass via spoofable headers in validateToken()

@acastellon/auth v2.2.0 appears to allow an unauthenticated authentication bypass in validateToken through spoofable auth-user and Host request headers. The validateToken middleware contains a service-to-service bypass for auth-user: service-brother when req.get'host'.startsWithgetHostName. Both...

8.7CVSS5.5AI score0.00543EPSS
Exploits0References4Affected Software1
GitLab Advisory Database
GitLab Advisory Database
added 2026/06/18 12:0 a.m.43 views

@acastellon/auth: Authentication bypass via spoofable headers in validateToken()

@acastellon/auth v2.2.0 appears to allow an unauthenticated authentication bypass in validateToken through spoofable auth-user and Host request headers. The validateToken middleware contains a service-to-service bypass for auth-user: service-brother when req.get'host'.startsWithgetHostName. Both...

8.7CVSS5.5AI score0.00543EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2022/11/21 11:15 a.m.5 views

CVE-2022-1579

The function checkisloginpage uses headers for the IP check, which can be easily spoofed...

7.5CVSS5.8AI score0.00664EPSS
Exploits2References1
Rows per page
Query Builder