• Tech News
    • Games
    • Pc & Laptop
    • Mobile Tech
    • Ar & Vr
    • Security
  • Startup
    • Fintech
  • Reviews
  • How To
What's Hot

10 Necessary Skills For Managing The Day-To-Day Operations Of A Business

February 2, 2023

Whalesync, a Seattle startup syncing data between software apps, raises $1.8M – Startup

February 1, 2023

Panasonic LZ2000 (2022) review

February 1, 2023
Facebook Twitter Instagram
  • Contact
  • Privacy Policy
  • Terms & Conditions
Facebook Twitter Instagram Pinterest VKontakte
Behind The ScreenBehind The Screen
  • Tech News
    1. Games
    2. Pc & Laptop
    3. Mobile Tech
    4. Ar & Vr
    5. Security
    6. View All

    Bring Elden Ring to the table with the upcoming board game adaptation

    September 19, 2022

    ONI: Road to be the Mightiest Oni reveals its opening movie

    September 19, 2022

    GTA 6 images and footage allegedly leak

    September 19, 2022

    Wild west adventure Card Cowboy turns cards into weird and silly stories

    September 18, 2022

    7 Reasons Why You Should Study PHP Programming Language

    October 19, 2022

    Logitech MX Master 3S and MX Keys Combo for Business Gen 2 Review

    October 9, 2022

    Lenovo ThinkPad X1 Carbon Gen10 Review

    September 18, 2022

    Lenovo IdeaPad 5i Chromebook, 16-inch+120Hz

    September 3, 2022

    YouTube adds very convenient iPhone homescreen widgets

    October 15, 2022

    Google finishes iOS 16 Lock Screen widgets rollout w/ Maps

    October 14, 2022

    Is Apple actually turning iMessage into AIM or is this sketchy redesign rumor for laughs?

    October 14, 2022

    Samsung’s One UI 5 update is largely about personalization

    October 14, 2022

    MeetKai launches AI-powered metaverse, starting with a billboard in Times Square

    August 10, 2022

    The DeanBeat: RP1 simulates putting 4,000 people together in a single metaverse plaza

    August 10, 2022

    Improving the customer experience with virtual and augmented reality

    August 10, 2022

    Why the metaverse won’t fall to Clubhouse’s fate

    August 10, 2022

    How Apple privacy changes have forced social media marketing to evolve

    October 16, 2022

    Microsoft Patch Tuesday October Fixed 85 Vulnerabilities – Latest Hacking News

    October 16, 2022

    Decentralization and KYC compliance: Critical concepts in sovereign policy

    October 15, 2022

    What Thoma Bravo’s latest acquisition reveals about identity management

    October 14, 2022

    What is a Service Robot? The vision of an intelligent service application is possible.

    November 7, 2022

    Tom Brady just chucked another Microsoft Surface tablet

    September 18, 2022

    The best AIO coolers for your PC in 2022

    September 18, 2022

    YC’s Michael Seibel clarifies some misconceptions about the accelerator • DailyTech

    September 18, 2022
  • Startup
    • Fintech
  • Reviews
  • How To
Behind The ScreenBehind The Screen
Home»Security»Serious Netlify Vulnerability Could Allow XSS, SSRF Attacks
Security

Serious Netlify Vulnerability Could Allow XSS, SSRF Attacks

September 28, 2022No Comments2 Mins Read
Facebook Twitter Pinterest LinkedIn Tumblr Email
Latest Hacking News
Share
Facebook Twitter LinkedIn Pinterest Email

A serious security vulnerability existed in the Netlify cloud computing platform that allowed cross-site scripting attacks. Netlify has released a patch for the flaw with version 1.2.3. Users must ensure updating their systems with the latest release to receive the fix.

Netlify Cache Poisoning Vulnerability

Security researcher Sam Curry has elaborated on the severe Netlify vulnerability in a blog post.

As stated, the researcher discovered the vulnerability in the Next.js “netlify-ipx” repository. Exploiting the flaw could allow an adversary to perform cross-site scripting (XSS) and server-side request forgery (SSRF) attacks on the target website.

The vulnerability typically affected the websites using Next.js for the relevant Web3 functionality. Some popular platforms vulnerable to this issue include Celo, DocuSign, Moonpay, Gemini, and PancakeSwap.

In brief, the researchers found numerous security issues when scanning the platform for security. The first of these includes an open redirect on the “_next/image” handler, exploiting which could let an attacker redirect HTTP response to arbitrary websites. On OAuth whitelisted sites, exploiting the flaw could even allow the adversary to take over target accounts.

Next, the researchers found XSS and SSRF vulnerabilities on websites with whitelisted host in the configuration file and running the “@netlify/ipx” library. An attacker could exploit the flaw via maliciously crafted SVG files to execute arbitrary JavaScript codes and write arbitrary HTML.

In addition, the researchers noticed a full XSS and SSRF in the “netlify-ipx” library due to improper “x-forwarded-proto” header handling. An attacker could exploit the flaw to create stored XSS endpoint that may execute arbitrary codes upon loading.

See also  Healthcare ransomware attacks are increasing – how to prepare

Curry has shared the details about the vulnerability, CVE-2022-39239, in his post.

Netlify Deployed A Patch

Upon finding the bugs, the researcher reached out to Netlify developers, informing them of the flaw. In response, the vendor released a detailed advisory on GitHub, acknowledging the vulnerability. Alongside describing the issue, the vendors confirmed fixing the flaw with the release of Netlify version 1.2.3.

Besides, stating the workarounds, the advisory reads,

The problem is no longer exploitable on Netlify as the CDN now sanitizes the relevant header. Cached content can be cleared by re-deploying the site.

Let us know your thoughts in the comments.

Source link

attacks Netlify SSRF Vulnerability XSS
Share. Facebook Twitter Pinterest LinkedIn Tumblr Email

Related Posts

How Apple privacy changes have forced social media marketing to evolve

October 16, 2022

Microsoft Patch Tuesday October Fixed 85 Vulnerabilities – Latest Hacking News

October 16, 2022

Decentralization and KYC compliance: Critical concepts in sovereign policy

October 15, 2022

What Thoma Bravo’s latest acquisition reveals about identity management

October 14, 2022
Add A Comment

Comments are closed.

Editors Picks

Intel will start phasing out Pentium and Celeron brands in 2023

September 17, 2022

A Plague Tale: Requiem gets new gameplay overview trailer

August 20, 2022

Best Asus laptop deals: Portable workhorses from $131

August 4, 2022

Samsung Wallet payments and passes are coming to 13 more countries this year

October 13, 2022

Subscribe to Updates

Get the latest news and Updates from Behind The Scene about Tech, Startup and more.

Top Post

10 Necessary Skills For Managing The Day-To-Day Operations Of A Business

Whalesync, a Seattle startup syncing data between software apps, raises $1.8M – Startup

Panasonic LZ2000 (2022) review

Behind The Screen
Facebook Twitter Instagram Pinterest Vimeo YouTube
  • Contact
  • Privacy Policy
  • Terms & Conditions
© 2023 behindthescreen.uk - All rights reserved.

Type above and press Enter to search. Press Esc to cancel.