CVE-2022-1650

CVSS v2.0

9.4

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:N

Name of the Vulnerable Software and Affected Versions eventsource/eventsource versions prior to 2.0.2

Description The issue is related to insufficient protection of sensitive data, allowing a remote attacker to gain unauthorized access to protected information. This is due to the improper removal of sensitive information before storage or transfer. When fetching a URL with a link to an external site, users' cookies and authorization headers are leaked to the third-party application, violating the same-origin-policy.

Recommendations For versions prior to 2.0.2, update to version 2.0.2 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive information and sanitizing headers when redirecting to external sites to minimize the risk of exploitation.

Exploit

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-212

Related Identifiers

BDU:2022-04184

CESA-2022_6057

CVE-2022-1650

DLA-3235-1

GHSA-6H5X-7C5M-7CR7

RHSA-2022:6037

RHSA-2022:6057

RHSA-2022_6057

RLSA-2022:6057

USN-6082-1

Affected Products

Centos

Linuxmint

Red Hat

Rocky Linux

Ubuntu

Eventsource

CVE-2022-1650

Weakness Enumeration

Related Identifiers

Affected Products

References · 26