GHSA-f27p-cmv8-xhm6: fetch: Authorization headers not dropped when redirecting cross-origin

GHSA-2p95-8xvm-2pjx: REDAXO CMS Cross-site Scripting vulnerability

GHSA-m78c-qx99-mvw9: Grav Cross-site Scripting vulnerability

GHSA-237r-r8m4-4q88: Guzzle OAuth Subscriber has insufficient nonce entropy

GHSA-v6jv-p6r8-j78w: NiceGUI On Air authentication issue

### Impact

A vulnerability CVE-2023-39325 exists in [Go managing HTTP/2 requests](https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo/m/UDd7VKQuAAAJ?pli=1), which impacts Traefik. This vulnerability could be exploited to cause a denial of service.

### References

- [CVE-2023-44487](https://www.cve.org/CVERecord?id=CVE-2023-44487)
- [CVE-2023-39325](https://www.cve.org/CVERecord?id=CVE-2023-39325)

### Patches

- https://github.com/traefik/traefik/releases/tag/v2.10.5
- https://github.com/traefik/traefik/releases/tag/v3.0.0-beta4

**Traefik vulnerable to HTTP/2 request causing denial of service**

Moderate severity GitHub Reviewed Published Oct 12, 2023 in traefik/traefik • Updated Oct 17, 2023

Headline

GHSA-7v4p-328v-8v5g: Traefik vulnerable to HTTP/2 request causing denial of service

Impact

References

Patches

ghsa: Latest News