Vulnerabilities

 1 via 1 paths

Dependencies

 358

Source

 GitHub

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Issue type
  • 1
  • 1
Severity
  • 1
  • 1
Status
  • 2
  • 0
  • 0

high severity
new

Improper Removal of Sensitive Information Before Storage or Transfer

  • Vulnerable module: follow-redirects
  • Introduced through: follow-redirects@1.15.11

Detailed paths

  • Introduced through: parse-server@parse-community/parse-server follow-redirects@1.15.11
    Remediation: Upgrade to follow-redirects@1.16.0.

Overview

Affected versions of this package are vulnerable to Improper Removal of Sensitive Information Before Storage or Transfer in the cross-domain redirects that do not strip custom authentication headers (such as X-API-Key, X-Auth-Token, Api-Key, Token). An attacker can obtain sensitive authentication headers by triggering a cross-domain redirect that causes custom authentication headers to be forwarded to an attacker-controlled domain.

Remediation

Upgrade follow-redirects to version 1.16.0 or higher.

References

Improper Removal of Sensitive Information Before Storage or Transfer vulnerability report

medium severity
new

MPL-2.0 license

  • Module: web-push
  • Introduced through: @parse/push-adapter@8.4.0

Detailed paths

  • Introduced through: parse-server@parse-community/parse-server @parse/push-adapter@8.4.0 web-push@3.6.7

MPL-2.0 license

MPL-2.0 license vulnerability report