Headline
CVE-2022-2756: v0.5.4.1 - Security Hotfix (#1414) · Kareadita/Kavita@9c31f7e
Server-Side Request Forgery (SSRF) in GitHub repository kareadita/kavita prior to 0.5.4.1.
Permalink
Browse files
v0.5.4.1 - Security Hotfix (#1414)
* Updated our security file with our Huntr.
* Fixed a security vulnerability where through the API, an unauthorized user could delete/modify reading lists that did not belong to them.
Fixed a bug where when creating a reading list with the name of another users, the API would throw an exception (but reading list would still get created)
* Fixed a security vulnerability where through the API, an unauthorized user could delete/modify reading lists that did not belong to them.
Fixed a bug where when creating a reading list with the name of another users, the API would throw an exception (but reading list would still get created)
* Ensure all reading list apis are authorized
* Ensured all APIs require authentication, except those that explicitly don’t. All APIs are default requiring Authentication.
Fixed a security vulnerability which would allow a user to take over an admin account.
* Fixed a bug where cover-upload would accept filenames that were not expected.
* Explicitly check that a user has access to the pdf file before we serve it back.
* Enabled lock out when invalid user auth occurs. After 5 invalid auths, the user account will be locked out for 10 mins.
* Version bump for hotfix release
- Loading branch information