CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52796 – Password Pusher's rate limiter can be bypassed by forging proxy headers
https://notcve.org/view.php?id=CVE-2024-52796
Password Pusher, an open source application to communicate sensitive information over the web, comes with a configurable rate limiter. In versions prior to v1.49.0, the rate limiter could be bypassed by forging proxy headers allowing bad actors to send unlimited traffic to the site potentially causing a denial of service. In v1.49.0, a fix was implemented to only authorize proxies on local IPs which resolves this issue. As a workaround, one may add rules to one's proxy and/or firewall to not accept external proxy headers such as `X-Forwarded-*` from clients. Password Pusher, una aplicación de código abierto para comunicar información confidencial a través de la web, viene con un limitador de velocidad configurable. • https://docs.pwpush.com/docs/proxies/#trusted-proxies https://github.com/pglombardo/PasswordPusher/releases/tag/v1.49.0 https://github.com/pglombardo/PasswordPusher/security/advisories/GHSA-ffp2-8p2h-4m5j • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-51989 – Cross-site Scripting (XSS) Vulnerability in PasswordPusher
https://notcve.org/view.php?id=CVE-2024-51989
Password Pusher is an open source application to communicate sensitive information over the web. A cross-site scripting (XSS) vulnerability was identified in the PasswordPusher application, affecting versions `v1.41.1` through and including `v.1.48.0`. The issue arises from an un-sanitized parameter which could allow attackers to inject malicious JavaScript into the application. Users who self-host and have the login system enabled are affected. Exploitation of this vulnerability could expose user data, access to user sessions or take unintended actions on behalf of users. • https://github.com/pglombardo/PasswordPusher/security/advisories/GHSA-5chg-cq29-gfqf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •