Ranjit-Git

**Name of the Vulnerable Software and Affected Versions** urllib3 versions prior to 1.26.18 urllib3 versions prior to 2.0.7 **Description** The issue is related to the urllib3 library, a user-friendly HTTP client for Python, which previously did not remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 occurred after the request had its method changed from one that could accept a request body to GET. This behavior, although not specified in the section for redirects, can be inferred from other sections of HTTP RFCs and is observed in other major HTTP client implementations like curl and web browsers. The vulnerability requires a previously trusted service to become compromised to have an impact on confidentiality, and its exploitability is considered low. Additionally, many users do not put sensitive data in HTTP request bodies, making the vulnerability not exploitable in such cases. Two conditions must be true to be affected: using urllib3 and submitting sensitive information in the HTTP request body, and the origin service being compromised and starting to redirect using 301, 302, or 303 to a malicious peer or the redirected-to service becoming compromised. **Recommendations** Update to version 1.26.18 or later to resolve the issue. Update to version 2.0.7 or later to resolve the issue. For users unable to update, disable redirects for services that aren't expecting to respond with redirects by setting `redirects=False`, and handle 301, 302, and 303 redirects manually by stripping the HTTP request body.

**Name of the Vulnerable Software and Affected Versions** urllib3 versions prior to 1.26.17 urllib3 versions prior to 2.0.5 **Description** The issue is related to the handling of the `Cookie` HTTP header in urllib3, a user-friendly HTTP client library for Python. If a user specifies a `Cookie` header and does not disable redirects explicitly, it is possible to leak information via HTTP redirects to a different origin. The number of usages affected by this advisory is believed to be low, requiring specific conditions to be met, including the use of an affected version of urllib3, the `Cookie` header on requests, not disabling HTTP redirects, and either not using HTTPS or the origin server redirecting to a malicious origin. **Recommendations** For versions prior to 1.26.17, upgrade to at least urllib3 version 1.26.17. For versions prior to 2.0.5, upgrade to at least urllib3 version 2.0.5. As a temporary workaround, consider disabling HTTP redirects using `redirects=False` when sending requests. Avoid using the `Cookie` header on requests unless necessary, and ensure that redirects are properly handled to prevent information leakage.

**Name of the Vulnerable Software and Affected Versions** Undici versions prior to 5.26.2 **Description** The issue is related to the handling of headers in the Undici HTTP/1.1 client for Node.js. Specifically, prior to version 5.26.2, Undici cleared Authorization headers on cross-origin redirects but did not clear `cookie` headers. By design, `cookie` headers are forbidden request headers, which can lead to accidental leakage of cookies to a third-party site or allow a malicious attacker to leak cookies if they can control the redirection target. **Recommendations** For versions prior to 5.26.2, update to version 5.26.2 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive `cookie` headers until the update can be applied.

**Name of the Vulnerable Software and Affected Versions** SilverStripe Framework versions prior to 4.10.9 SilverStripe Framework through 2022-04-07 **Description** The issue allows for Stored XSS to occur in javascript link tags added via XMLHttpRequest (XHR). This can happen when an authenticated CMS user adds malicious content to a website via XHR, specifically inside the href attribute of an HTML hyperlink. **Recommendations** For SilverStripe Framework versions prior to 4.10.9, update to version 4.10.9 or later to resolve the issue. For SilverStripe Framework through 2022-04-07, ensure that all updates up to 2022-04-07 are applied to mitigate the risk of exploitation. As a temporary workaround, consider restricting access to the XHR functionality for authenticated CMS users until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Silverstripe silverstripe/assets versions through 1.10 **Description** The issue is related to improper access control, allowing protected images to be published by changing an existing image short code on website content. Specifically, draft protected images can be published by modifying the existing image shortcode to match the ID of the draft protected image and then publishing the website content. **Recommendations** For versions through 1.10, consider restricting access to the image shortcode feature until a patch is available. As a temporary workaround, avoid using the image shortcode to publish draft protected images. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Combodi iTop versions prior to 2.7.6 and 3.0.0 **Description** Combodi iTop is a web-based IT Service Management tool. The issue allows for cross-site scripting for scripts outside of script tags when displaying HTML attachments. There are currently no known workarounds for this issue. **Recommendations** For versions prior to 2.7.6, update to version 2.7.6 or later. For versions prior to 3.0.0, update to version 3.0.0 or later.

**Name of the Vulnerable Software and Affected Versions** Twisted (affected versions not specified) **Description** The issue is related to the exposure of cookies and authorization headers when following cross-origin redirects. This problem is present in the `twisted.web.RedirectAgent` and `twisted.web.BrowserLikeRedirectAgent` functions. The vulnerability allows a remote attacker to access confidential data. **Recommendations** As a temporary workaround, consider disabling the `twisted.web.RedirectAgent` and `twisted.web.BrowserLikeRedirectAgent` functions until a patch is available. Users are advised to upgrade to a newer version to resolve the issue. At the moment, there is no information about a specific newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** log4js-node versions prior to 6.4.0 **Description** The issue is related to the default file permissions for log files created by the file, fileSync, and dateFile appenders in log4js-node, which are world-readable in Unix. This could cause problems if log files contain sensitive information, affecting users who have not supplied their own permissions for the files via the mode parameter in the config. **Recommendations** For versions prior to 6.4.0, update to log4js@6.4.0 to fix the issue. As a temporary workaround, consider passing the mode parameter to the configuration of file appenders to set custom permissions, as allowed by every version of log4js.

**Name of the Vulnerable Software and Affected Versions** node-fetch versions (affected versions not specified) **Description** The issue concerns exposure of sensitive information to an unauthorized actor. Specifically, node-fetch forwards secure headers such as `authorization`, `www-authenticate`, `cookie`, and `cookie2` when redirecting to an untrusted site. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** LedgerSMB (affected versions not specified) **Description** The issue is related to LedgerSMB not checking the origin of HTML fragments merged into the browser's DOM. This can be exploited by sending a specially crafted URL to an authenticated user, potentially leading to remote code execution and information disclosure. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** LedgerSMB (affected versions not specified) **Description** The issue arises from insufficient HTML-encoding of error messages sent to the browser. This can be exploited by sending a specially crafted URL to an authenticated user, potentially leading to remote code execution and information disclosure. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.