Chromium1337

**Name of the Vulnerable Software and Affected Versions** phpMyAdmin versions prior to 4.8.5 **Description** An issue allows an attacker to read any file on the server that the web server's user can access when the AllowArbitraryServer configuration setting is set to true. This is related to the mysql.allow local infile PHP configuration and the inadvertent ignoring of `options(MYSQLI OPT LOCAL INFILE)` calls. **Recommendations** For versions prior to 4.8.5, update to version 4.8.5 or later to resolve the issue. As a temporary workaround, consider setting the AllowArbitraryServer configuration setting to false to minimize the risk of exploitation. Additionally, restrict the use of the `mysql.allow local infile` PHP configuration to prevent unauthorized file access.

**Name of the Vulnerable Software and Affected Versions** parcel-bundler versions prior to 1.10.0 **Description** An issue in HMRServer.js allows attackers to steal a developer's code due to the lack of origin validation on the WebSocket server used for Hot Module Replacement (HMR). This enables anyone to receive HMR messages sent by the WebSocket server via a ws://127.0.0.1 connection from any origin. The vulnerability can be exploited by finding the random TCP port number used by the WebSocket server, which can be discovered by connecting to http://127.0.0.1 and examining the source code for the "new WebSocket" line. **Recommendations** Update to version 1.10.0 or later. As a temporary workaround, consider restricting access to the WebSocket server used for HMR to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** webpack-dev-server versions prior to 3.1.10 webpack-dev-server versions prior to 3.1.6 **Description** An issue in the WebSocket server used for Hot Module Replacement (HMR) allows attackers to steal a developer's source code because the origin of requests is not validated. This enables a remote attacker to receive HMR messages sent by the WebSocket server via a ws://127.0.0.1:8080/ connection from any origin. **Recommendations** For versions prior to 3.1.6, update to version 3.1.11 or later. For versions prior to 3.1.10, update to version 3.1.11 or later.

**Name of the Vulnerable Software and Affected Versions** Gogs versions prior to 0.12 **Description** The issue allows remote attackers to redirect users to arbitrary websites, potentially leading to phishing attacks. This is achieved via an initial `/` substring in the `redirect to` parameter. The `isValidRedirect` function in `routes/user/auth.go` is related to this issue. **Recommendations** For versions prior to 0.12, consider restricting access to the `redirect to` parameter in the user/login endpoint to minimize the risk of exploitation. As a temporary workaround, avoid using the `redirect to` parameter with initial `/` substrings until a patch is available.