#js

Red Hat Security Advisory 2023-7730-03 - An update for tracker-miners is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.

Red Hat Security Advisory 2023-7725-03 - Updated images are now available for Red Hat Advanced Cluster Security. The updated image includes bug and security fixes.

Red Hat Security Advisory 2023-7716-03 - An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8. Issues addressed include a code execution vulnerability.

Red Hat Security Advisory 2023-7715-03 - An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 9. Issues addressed include a code execution vulnerability.

Red Hat Security Advisory 2023-7714-03 - An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8. Issues addressed include integer overflow and remote SQL injection vulnerabilities.

Red Hat Security Advisory 2023-7713-03 - An update for tracker-miners is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.

Red Hat Security Advisory 2023-7712-03 - An update for tracker-miners is now available for Red Hat Enterprise Linux 9.

In Red Hat Advanced Cluster Security (RHACS), it was found that some security related HTTP headers were missing, allowing an attacker to exploit this with a clickjacking attack. An attacker could exploit this by convincing a valid RHACS user to visit an attacker-controlled web page, that deceptively points to valid RHACS endpoints, hijacking the user's account permissions to perform other actions.

Missing authentication in the internal data streaming system in ProLion CryptoSpike 3.0.15P2 allows remote unauthenticated users to read potentially sensitive information and deny service to users by directly reading and writing data in Apache Kafka (as consumer and producer).

### Summary `nuxt-api-party` allows developers to proxy requests to an API without exposing credentials to the client. [A previous vulnerability](https://huntr.dev/bounties/4c57a3f6-0d0e-4431-9494-4a1e7b062fbf/) allowed an attacker to change the baseURL of the request, potentially leading to credentials being leaked or SSRF. This vulnerability is similar, and was caused by a recent change to the detection of absolute URLs, which is no longer sufficient to prevent SSRF. ### Details `nuxt-api-party` attempts to check if the user has passed an absolute URL to prevent the aforementioned attack. This has been recently changed to [use a regular expression](https://github.com/johannschopplich/nuxt-api-party/blob/777462e1e3af1d9f8938aa33f230cd8cb6e0cc9a/src/runtime/server/handler.ts#L31) `^https?://`. This regular expression can be bypassed by an absolute URL with leading whitespace. For example `\nhttps://whatever.com` has a leading newline. According to the fetch specification, before...