B0-N0-B0

**Name of the Vulnerable Software and Affected Versions** Feathersjs versions 5.0.39 and below **Description** Feathersjs is a framework used for building web APIs and real-time applications. A flaw exists where the redirect query parameter is added to the base origin without proper validation. This allows attackers to steal access tokens through URL authority injection, potentially leading to full account takeover. The application builds the redirect URL by combining the base origin with a user-provided redirect parameter. This is exploitable when origins do not end with a forward slash (/). An attacker can provide a malicious redirect value, such as `@attacker.com`, resulting in a URL like `https://target.com@attacker.com#access token=...`. The browser then interprets `attacker.com` as the host, enabling the attacker to obtain the victim's access token and impersonate them. **Recommendations** Update to version 5.0.40 or later.

**Name of the Vulnerable Software and Affected Versions** Feathersjs versions 5.0.39 and below **Description** Feathersjs is a framework used for building web APIs and real-time applications. A flaw in origin validation, specifically using the `startsWith()` function for comparison, allows attackers to bypass origin checks. This bypass is possible by registering a domain that shares a common prefix with an allowed origin. The `getAllowedOrigin()` function inadequately validates the prefix of the Referer header against allowed origins. An attacker can initiate the OAuth flow from an unauthorized origin and potentially steal tokens, leading to full account takeover. **Recommendations** Update to version 5.0.40 or later.

**Name of the Vulnerable Software and Affected Versions** Feathersjs versions 5.0.39 and below **Description** Feathersjs is a framework used for building web APIs and real-time applications. Versions 5.0.39 and below store all HTTP request headers in a session cookie that is signed but not encrypted. This can expose internal proxy/gateway headers to clients. The OAuth service stores the complete headers object in the session, which is then persisted using cookie-session and base64-encoded. While the cookie is signed, the data is readable by decoding the base64 value. In certain deployment configurations, such as those behind reverse proxies or API gateways, this can lead to the disclosure of sensitive internal infrastructure details like API keys, service tokens, and internal IP addresses. The issue involves the storage of sensitive information in the session cookie, specifically impacting the handling of HTTP request headers and OAuth service data. **Recommendations** Update to version 5.0.40 or later.

**Name of the Vulnerable Software and Affected Versions** Stalwart versions 0.13.3 and below **Description** Stalwart, a mail and collaboration server, has an issue where the IMAP protocol parser can allocate an unlimited amount of memory. This can allow a remote attacker to exhaust server memory, potentially triggering the system's out-of-memory (OOM) killer and causing a denial of service. The `CommandParser` implementation generally limits the size of its dynamic buffer during parsing, but some state handlers do not perform these validation checks. **Recommendations** Update to version 0.13.4 or later. Implement rate limiting and connection monitoring at the network level as a workaround.

Nome do Software Vulnerável e Versões Afetadas: Versões do Stalwart 0.12.0 até 0.13.2 Descrição: O Stalwart é um servidor de e-mail e colaboração. Existe uma vulnerabilidade de exaustão de memória na implementação CalDAV do Stalwart que permite que atacantes autenticados causem uma negação de serviço ao desencadear consumo de memória ilimitado através da expansão de eventos recorrentes. Um atacante autenticado pode derrubar o servidor Stalwart criando eventos recorrentes com cargas úteis grandes e desencadeando sua expansão através de requisições CalDAV `REPORT`. Uma única requisição maliciosa expandindo 300 eventos com descrições de 1000 caracteres pode consumir até 2 GB de memória. A vulnerabilidade existe na função `ArchivedCalendarEventData.expand`, que processa requisições CalDAV `REPORT` com expansão de eventos. Quando um cliente solicita eventos recorrentes em sua forma expandida usando o elemento `<C:expand>`, o servidor armazena todas as instâncias de eventos expandidos na memória sem impor limites de tamanho. Recomendações: Atualize para a versão 0.13.3 ou posterior do Stalwart. Se a atualização imediata não for possível, implemente limites de memória no nível do container/sistema. Monitore o uso de memória do servidor em busca de picos incomuns. Considere limitar a taxa de requisições CalDAV `REPORT`. Restrinja o acesso CalDAV apenas a usuários confiáveis.