CVE-2023-28155 (Server-Side Request Forgery in Request)

aydenp / PowerSchool-API

A Node.js library for interacting with the PowerSchool SIS API.

https://aydenp.github.io/PowerSchool-API/

MIT License

30 stars 11 forks source link

CVE-2023-28155 (Server-Side Request Forgery in Request) #19

Open jpdagostino opened 1 year ago

jpdagostino commented 1 year ago

The Request package through 2.88.2 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

See: GitHub Advisory

jpdagostino commented 3 months ago

Fixed in #21