4 results (0.007 seconds)

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0

follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability. follow-redirects es un reemplazo directo de código abierto para los módulos `http` y `https` de Node que sigue automáticamente las redirecciones. • https://fetch.spec.whatwg.org/#authentication-entries https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp https://github.com/psf/requests/issues/1885 https://hackerone.com/reports/2390009 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOIF4EPQUCKDBEVTGRQDZ3CGTYQHPO7Z https://access.redhat.com/security/cve/CVE-2024-28849 https://bugzilla.red • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 2

Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches. Las versiones del paquete follow-redirects anteriores a la 1.15.4 son vulnerables a una validación de entrada incorrecta debido al manejo inadecuado de las URL por parte de la función url.parse(). Cuando la nueva URL() arroja un error, se puede manipular para malinterpretar el nombre de host. • https://github.com/follow-redirects/follow-redirects/issues/235 https://github.com/follow-redirects/follow-redirects/pull/236 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZZ425BFKNBQ6AK7I5SAM56TWON5OF2XM https://security.snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-6141137 https://access.redhat.com/security/cve/CVE-2023-26159 https://bugzilla.redhat.com/show_bug.cgi?id=2256413 • CWE-20: Improper Input Validation CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •

CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0

Improper Removal of Sensitive Information Before Storage or Transfer in NPM follow-redirects prior to 1.14.8. Una Exposición de Información Confidencial a un Actor no Autorizado en NPM follow-redirects versiones anteriores a 1.14.8 A flaw was found in the follow-redirects package. This flaw allows the exposure of sensitive information to an unauthorized actor due to the usage of insecure HTTP protocol. This issue happens with an Authorization header leak from the same hostname, https-http, and requires a Man-in-the-Middle (MITM) attack. • https://github.com/follow-redirects/follow-redirects/commit/62e546a99c07c3ee5e4e0718c84a6ca127c5c445 https://huntr.dev/bounties/7cf2bf90-52da-4d59-8028-a73b132de0db https://access.redhat.com/security/cve/CVE-2022-0536 https://bugzilla.redhat.com/show_bug.cgi?id=2053259 • CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer •

CVSS: 8.0EPSS: 0%CPEs: 4EXPL: 2

follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor follow-redirects es vulnerable a una Exposición de Información Personal Privada a un Actor no Autorizado A flaw was found in follow-redirects when fetching a remote URL with a cookie when it gets to the Location response header. This flaw allows an attacker to hijack the account as the cookie is leaked. • https://github.com/coana-tech/CVE-2022-0155-PoC https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf https://github.com/follow-redirects/follow-redirects/commit/8b347cbcef7c7b72a6e9be20f5710c17d6163c22 https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406 https://access.redhat.com/security/cve/CVE-2022-0155 https://bugzilla.redhat.com/show_bug.cgi?id=2044556 • CWE-359: Exposure of Private Personal Information to an Unauthorized Actor •