CVE-2023-45857 – axios: exposure of confidential data stored in cookies
https://notcve.org/view.php?id=CVE-2023-45857
An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information. Un problema descubierto en Axios 1.5.1 revela inadvertidamente el XSRF-TOKEN confidencial almacenado en las cookies al incluirlo en el encabezado HTTP X-XSRF-TOKEN para cada solicitud realizada a cualquier host, lo que permite a los atacantes ver información sensible. A flaw was found in Axios that may expose a confidential session token. This issue can allow a remote attacker to bypass security measures and view sensitive data. • https://github.com/valentin-panov/CVE-2023-45857 https://github.com/fuyuooumi1027/CVE-2023-45857-Demo https://github.com/intercept6/CVE-2023-45857-Demo https://github.com/axios/axios/issues/6006 https://security.netapp.com/advisory/ntap-20240621-0006 https://access.redhat.com/security/cve/CVE-2023-45857 https://bugzilla.redhat.com/show_bug.cgi?id=2248979 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2021-3749 – Inefficient Regular Expression Complexity in axios/axios
https://notcve.org/view.php?id=CVE-2021-3749
axios is vulnerable to Inefficient Regular Expression Complexity axios es vulnerable a una Complejidad de Expresión Regular Ineficiente A Regular Expression Denial of Service (ReDoS) vulnerability was found in the nodejs axios. This flaw allows an attacker to provide crafted input to the trim function, which might cause high resources consumption and as a consequence lead to denial of service. The highest threat from this vulnerability is system availability. • https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf https://github.com/axios/axios/commit/5b457116e31db0e88fede6c428e969e87f290929 https://huntr.dev/bounties/1e8f07fc-c384-4ff9-8498-0690de2e8c31 https://lists.apache.org/thread.html/r075d464dce95cd13c03ff9384658edcccd5ab2983b82bfc72b62bb10%40%3Ccommits.druid.apache.org%3E https://lists.apache.org/thread.html/r216f0fd0a3833856d6a6a1fada488cadba45f447d87010024328ccf2%40%3Ccommits.druid.apache.org%3E https://lists.apache.org/thread.html/r3ae6d2654f92c5851bdb73b35e96b0e4e3da39f28ac7a1b15ae3aab8%40%3Ccommits.druid.a • CWE-400: Uncontrolled Resource Consumption CWE-1333: Inefficient Regular Expression Complexity •
CVE-2020-28168
https://notcve.org/view.php?id=CVE-2020-28168
Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address. El paquete Axios NPM versión 0.21.0, contiene una vulnerabilidad de tipo Server-Side Request Forgery (SSRF) donde un atacante es capaz de omitir un proxy al proporcionar una URL que responde con un redireccionamiento hacia un host restringido o una dirección IP • https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf https://github.com/axios/axios/issues/3369 https://lists.apache.org/thread.html/r25d53acd06f29244b8a103781b0339c5e7efee9099a4d52f0c230e4a%40%3Ccommits.druid.apache.org%3E https://lists.apache.org/thread.html/r954d80fd18e9dafef6e813963eb7e08c228151c2b6268ecd63b35d1f%40%3Ccommits.druid.apache.org%3E https://lists.apache.org/thread.html/rdfd2901b8b697a3f6e2c9c6ecc688fd90d7f881937affb5144d61d6e%40%3Ccommits.druid.apache.org%3E • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2019-10742
https://notcve.org/view.php?id=CVE-2019-10742
Axios up to and including 0.18.0 allows attackers to cause a denial of service (application crash) by continuing to accepting content after maxContentLength is exceeded. Axios versión 0.18.0 y anteriores, permite a los atacantes causar una denegación de servicio (cierre inesperado de la aplicación) al continuar aceptando contenido después de que se exceda maxContentLength. • https://github.com/ossf-cve-benchmark/CVE-2019-10742 https://github.com/Viniciuspxf/CVE-2019-10742 https://app.snyk.io/vuln/SNYK-JS-AXIOS-174505 https://github.com/axios/axios/issues/1098 https://github.com/axios/axios/pull/1485 • CWE-755: Improper Handling of Exceptional Conditions •