Uug4Na

Name of the Vulnerable Software and Affected Versions AIOHTTP versions prior to 3.13.4 Description When following redirects to a different origin, aiohttp removes the `Authorization` header while keeping the `Cookie` and `Proxy-Authorization` headers. This could lead to the leakage of sensitive information contained in the `Cookie` and `Proxy-Authorization` headers to an unintended party. Recommendations Update to AIOHTTP version 3.13.4 or later.

**Name of the Vulnerable Software and Affected Versions** File Browser versions prior to 2.61.0 **Description** File Browser provides a file managing interface. A directory traversal issue exists in public share links prior to version 2.61.0. The `withHashFile` middleware in `http/public.go` incorrectly uses `filepath.Dir(link.Path)` to determine the filesystem root for shared directories. This allows anyone with a share link to access files in sibling directories, leading to unauthenticated information disclosure. The issue affects both directory listing via `/api/public/share/{hash}` and file download via `/api/public/dl/{hash}/path`. The root cause is that the filesystem root is set to the parent directory instead of the shared directory itself. This allows access to files outside the intended shared directory. **Recommendations** Update File Browser to version 2.61.0 or later.

**Name of the Vulnerable Software and Affected Versions** lxml html clean versions prior to 0.4.4 **Description** The software does not properly handle the `<base>` tag during HTML cleaning. Specifically, the `<base>` tag is not removed even when `page structure=True`, which removes `html`, `head`, and `title` tags. This allows an attacker to inject a `<base>` tag and hijack relative links on the page. Injecting a `<base>` tag changes the base URL for all relative URLs on the page, including links, images, and scripts, to a domain controlled by the attacker. This can lead to phishing, redirection of form submissions, cross-site scripting (XSS), and defacement of the webpage. The API endpoint is not mentioned. The vulnerable parameter is not mentioned. The vulnerable function is not mentioned. **Recommendations** Update to lxml html clean version 0.4.4 or later.

**Name of the Vulnerable Software and Affected Versions** lxml html clean versions prior to 0.4.4 **Description** The ` has sneaky javascript()` method in lxml html clean incorrectly strips backslashes before checking for dangerous CSS keywords. This allows CSS Unicode escape sequences to bypass the `@import` and `expression()` filters, potentially enabling external CSS loading or cross-site scripting (XSS) in older browsers. The root cause is a faulty backslash stripping operation within the `clean.py` file, around line 594. Specifically, the line `style = style.replace('', '')` transforms payloads like `@69mport` into `@69mport`, which bypasses the blacklist. Modern browsers interpret `69` as the character 'i' according to CSS specifications, effectively allowing the `@import` statement to execute. This bypass also affects the detection of `expression()`, posing a risk in older versions of Internet Explorer. A proof of concept demonstrates that a normally blocked `@import` statement can be successfully executed using the Unicode escape bypass. This could lead to data exfiltration through attribute selectors, UI redressing, and phishing attacks. In older browsers, it could enable full XSS via the `expression()` function. **Recommendations** Versions prior to 0.4.4 should be updated to version 0.4.4 or later.

**Name of the Vulnerable Software and Affected Versions** path-to-regexp versions prior to 8.4.0 **Description** A flawed regular expression is created when multiple sequential optional groups (using curly brace syntax) are present, such as `{a}{b}{c}:z`. The resulting regular expression expands exponentially with the number of groups, potentially leading to a denial of service. Avoid passing user-controlled input as route patterns. **Recommendations** Versions prior to 8.4.0 should be updated to version 8.4.0 or later. Limit the number of sequential optional groups in route patterns.