Skip to content

Commit d547792

Browse files
lpincalpinca
committed
[security] Add credits for CVE-2022-0691 
1 parent ad23357 commit d547792

File tree

1 file changed

+12
-0
lines changed

1 file changed

+12
-0
lines changed

SECURITY.md

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,18 @@ acknowledge your responsible disclosure, if you wish.
3333

3434
## History
3535

36+
> Leading control characters are not removed. This allows an attacker to bypass
37+
> hostname checks and makes the `extractProtocol` method return false positives.
38+
39+
- **Reporter credits**
40+
- Haxatron
41+
- GitHub: [@haxatron](https://github.com/haxatron)
42+
- Twitter: [@haxatron1](https://twitter.com/haxatron1)
43+
- Huntr report: https://www.huntr.dev/bounties/57124ed5-4b68-4934-8325-2c546257f2e4/
44+
- Fixed in: 1.5.9
45+
46+
---
47+
3648
> A URL with a specified but empty port can be used to bypass authorization
3749
> checks.
3850

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy