CVE-2023-46298
https://notcve.org/view.php?id=CVE-2023-46298
Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN. Next.js anterior a 13.4.20-canary.13 carece de un encabezado de control de caché y, por lo tanto, a veces una CDN puede almacenar en caché respuestas de captación previa vacías, lo que provoca una denegación de servicio a todos los usuarios que solicitan la misma URL a través de esa CDN. • https://github.com/vercel/next.js/compare/v13.4.20-canary.12...v13.4.20-canary.13 https://github.com/vercel/next.js/issues/45301 https://github.com/vercel/next.js/pull/54732 •
CVE-2020-5284 – Directory Traversal in Next.js versions below 9.3.2
https://notcve.org/view.php?id=CVE-2020-5284
Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the dist directory only holds build assets unless your application intentionally stores other assets under this directory. This issue is fixed in version 9.3.2. • https://github.com/zeit/next.js/releases/tag/v9.3.2 https://github.com/zeit/next.js/security/advisories/GHSA-fq77-7p7r-83rj • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-23: Relative Path Traversal •
CVE-2018-18282
https://notcve.org/view.php?id=CVE-2018-18282
Next.js 7.0.0 and 7.0.1 has XSS via the 404 or 500 /_error page. Next.js 7.0.0 y 7.0.1 tiene Cross-Site Scripting (XSS) mediante las páginas /_error 404 o 500. • https://github.com/ossf-cve-benchmark/CVE-2018-18282 https://github.com/zeit/next.js/releases/tag/7.0.2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •