Haxatron1

Name of the Vulnerable Software and Affected Versions: Node.js versions 20 through 21 Description: A flaw in the experimental permission model of Node.js allows malicious actors to retrieve stats from files they do not have explicit read access to when the --allow-fs-read flag is used. This issue arises from an inadequate permission model that fails to restrict file stats through the `fs.lstat` API. Recommendations: For Node.js versions 20 and 21, consider disabling the experimental permission model until a patch is available. Restrict access to the `fs.lstat` API to minimize the risk of exploitation. Avoid using the --allow-fs-read flag in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 110 **Description** The issue is related to security setting errors in Mozilla Firefox on Windows operating systems. It allows a remote attacker to access confidential information by exploiting the vulnerability using a created .scf script. After downloading a Windows .scf script from the local filesystem, an attacker could supply a remote path, leading to unexpected network requests from the operating system and potentially leaking NTLM credentials to the resource. **Recommendations** For versions prior to 110, update to version 110 or later to resolve the issue. As a temporary workaround, consider restricting access to .scf scripts to minimize the risk of exploitation. Avoid using remote paths in the affected script until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Node.js versions prior to 14.21.1 Node.js versions prior to 16.18.1 Node.js versions prior to 18.12.1 Node.js versions prior to 19.0.1 **Description** A OS Command Injection vulnerability exists in Node.js due to an insufficient IsAllowedHost check that can easily be bypassed, allowing rebinding attacks. The issue is related to the `--inspect` parameter and errors in converting octal IP addresses. This can allow a remote attacker to execute arbitrary code. The estimated number of potentially affected devices worldwide is not available. **Recommendations** For versions prior to 14.21.1, update to version 14.21.1 or later. For versions prior to 16.18.1, update to version 16.18.1 or later. For versions prior to 18.12.1, update to version 18.12.1 or later. For versions prior to 19.0.1, update to version 19.0.1 or later. As a temporary workaround, consider disabling the `--inspect` parameter until a patch is available. Restrict access to the `--inspect` feature to minimize the risk of exploitation. Avoid using invalid octal IP addresses in the `--inspect` parameter until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** cURL versions prior to 7.85.0 **Description** The issue is related to insufficient input validation when handling cookies with control codes, specifically byte values less than 32. This can be exploited by a remote attacker to cause a denial of service (400 Bad Request error) by sending specially crafted cookie files. The vulnerability effectively allows a "sister site" to deny service to all siblings when curl is used to retrieve and parse cookies from an HTTP(S) server. **Recommendations** For versions prior to 7.85.0, update to curl version 7.85.0 to resolve the issue. As a temporary workaround, consider restricting the use of control codes in cookies to minimize the risk of exploitation. Avoid using cookies that contain control codes (byte values below 32) in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** cURL (affected versions not specified) **Description** The issue is related to the curl URL parser, which wrongly accepts percent-encoded URL separators like '/' when decoding the host name part of a URL. This can make it a different URL using the wrong host name when it is later retrieved. For example, a URL like `http://example.com%2F127.0.0.1/` would be allowed by the parser and get transposed into `http://example.com/127.0.0.1/`. This flaw can be used to circumvent filters, checks, and more. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** libcurl versions (affected versions not specified) **Description** The issue is related to libcurl's handling of cookies for Top Level Domains (TLDs) when the hostname is provided with a trailing dot. This can allow arbitrary sites to set cookies that then would get sent to a different and unrelated site or domain. The problem arises because the check to prevent cookies from being set on TLDs is broken when the hostname in the URL uses a trailing dot. libcurl's "cookie engine" can be built with or without Public Suffix List awareness, but the rudimentary check in place to prevent cookies from being set on TLDs when PSL support is not provided is ineffective in this scenario. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** cURL (affected versions not specified) **Description** The issue is related to the implementation of the HSTS (HTTP Strict Transport Security) mechanism in the cURL utility. It could be bypassed if the hostname in the given URL used a trailing dot while not using one when it built the HSTS cache, or the other way around. This could allow an attacker to intercept traffic and gain unauthorized access to protected information. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.