rdiffweb@1.0.0a2 vulnerabilities

A web interface to rdiff-backup repositories.

Direct Vulnerabilities

Known vulnerabilities in the rdiffweb package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Open Redirect

rdiffweb is an A web interface to rdiff-backup repositories.

Affected versions of this package are vulnerable to Open Redirect which allows attackers to reroute users to any website of their choice, potentially enabling phishing attacks.

How to fix Open Redirect?

Upgrade rdiffweb to version 2.5.1 or higher.

[,2.5.1)
  • M
Brute Force

rdiffweb is an A web interface to rdiff-backup repositories.

Affected versions of this package are vulnerable to Brute Force due to a weak IP detection mechanism in the login API. Under usual circumstances, the user's IP address should be blocked after five unsuccessful login attempts. However, a loophole in the system can be exploited using the X-Forwarded-For header, enabling attackers to bypass IP detection and carry out a brute-force attack to crack the password.

How to fix Brute Force?

Upgrade rdiffweb to version 2.4.4 or higher.

[,2.4.4)
  • H
Allocation of Resources Without Limits or Throttling

rdiffweb is an A web interface to rdiff-backup repositories.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling by exploiting the lack of resource allocation limits or throttling when creating access tokens.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade rdiffweb to version 2.8.4 or higher.

[,2.8.4)
  • M
Allocation of Resources Without Limits or Throttling

rdiffweb is an A web interface to rdiff-backup repositories.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling. There is no rate limit on the send report feature on the https://rdiffweb-dev.ikus-soft.com/prefs/notification endpoint, which allows an attacker to spam the victim's mailbox.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade rdiffweb to version 2.8.1 or higher.

[,2.8.1)
  • M
Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)

rdiffweb is an A web interface to rdiff-backup repositories.

Affected versions of this package are vulnerable to Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) by allowing SSH key names formatted like URL strings to be automatically converted into links.

How to fix Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)?

Upgrade rdiffweb to version 2.5.5 or higher.

[,2.5.5)
  • M
Open Redirect

rdiffweb is an A web interface to rdiff-backup repositories.

Affected versions of this package are vulnerable to Open Redirect by allowing an attacker to inject a malicious link when sending an email invitation.

How to fix Open Redirect?

Upgrade rdiffweb to version 2.5.5 or higher.

[,2.5.5)
  • M
Business Logic Errors

rdiffweb is an A web interface to rdiff-backup repositories.

Affected versions of this package are vulnerable to Business Logic Errors such that if an attacker is able to add SSH key by any means, the user will remain unaware of this change.

How to fix Business Logic Errors?

Upgrade rdiffweb to version 2.5.5 or higher.

[,2.5.5)
  • H
Authentication Bypass by Primary Weakness

rdiffweb is an A web interface to rdiff-backup repositories.

Affected versions of this package are vulnerable to Authentication Bypass by Primary Weakness due to the Username field not being unique, leading to broken authorization.

How to fix Authentication Bypass by Primary Weakness?

Upgrade rdiffweb to version 2.5.5 or higher.

[,2.5.5)
  • M
Access Control Bypass

rdiffweb is an A web interface to rdiff-backup repositories.

Affected versions of this package are vulnerable to Access Control Bypass by allowing multiple users to authenticate with the same SSH key.

How to fix Access Control Bypass?

Upgrade rdiffweb to version 2.5.5 or higher.

[,2.5.5)
  • M
Allocation of Resources Without Limits or Throttling

rdiffweb is an A web interface to rdiff-backup repositories.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via /prefs/mfa endpoint, due to missing a rate limit on email triggering.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade rdiffweb to version 2.5.5 or higher.

[,2.5.5)
  • M
Cross-site Request Forgery (CSRF)

rdiffweb is an A web interface to rdiff-backup repositories.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) due to insufficient checks in the /logout endpoint.

How to fix Cross-site Request Forgery (CSRF)?

Upgrade rdiffweb to version 2.5.4 or higher.

[,2.5.4)
  • M
Open Redirect

rdiffweb is an A web interface to rdiff-backup repositories.

Affected versions of this package are vulnerable to Open Redirect due to improper validation of the header value, allowing the attacker to supply invalid input.

How to fix Open Redirect?

Upgrade rdiffweb to version 2.5.4 or higher.

[,2.5.4)
  • M
Improper Privilege Management

rdiffweb is an A web interface to rdiff-backup repositories.

Affected versions of this package are vulnerable to Improper Privilege Management by allowing an attacker to perform unauthorized actions even after removing the permissions from the attacker-controled account.

How to fix Improper Privilege Management?

Upgrade rdiffweb to version 2.5.2 or higher.

[,2.5.2)
  • M
Missing Authentication for Critical Function

rdiffweb is an A web interface to rdiff-backup repositories.

Affected versions of this package are vulnerable to Missing Authentication for Critical Function by allowing an attacker to bypass 2FA verification and restrict a user from accessing his account.

How to fix Missing Authentication for Critical Function?

Upgrade rdiffweb to version 2.5.0 or higher.

[,2.5.0)
  • M
Insufficient Session Expiration

rdiffweb is an A web interface to rdiff-backup repositories.

Affected versions of this package are vulnerable to Insufficient Session Expiration when the active sessions are not being expired after changing a password. This results in old sessions being active in any other browser or devices.

How to fix Insufficient Session Expiration?

Upgrade rdiffweb to version 2.5.0a8 or higher.

[,2.5.0a8)
  • L
Business Logic Errors

rdiffweb is an A web interface to rdiff-backup repositories.

Affected versions of this package are vulnerable to Business Logic Errors in the multi-factor authentication functionality.

How to fix Business Logic Errors?

Upgrade rdiffweb to version 2.5.0a7 or higher.

[,2.5.0a7)
  • M
Insufficient Session Expiration

rdiffweb is an A web interface to rdiff-backup repositories.

Affected versions of this package are vulnerable to Insufficient Session Expiration due to missing predefined timeouts which will allow an attacker to steal the user-session when using a shared computer.

How to fix Insufficient Session Expiration?

Upgrade rdiffweb to version 2.5.0a7 or higher.

[,2.5.0a7)
  • M
Allocation of Resources Without Limits or Throttling

rdiffweb is an A web interface to rdiff-backup repositories.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to missing checks in login, mfa, password change and API functionalities.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade rdiffweb to version 2.5.0a7 or higher.

[,2.5.0a7)
  • M
Allocation of Resources Without Limits or Throttling

rdiffweb is an A web interface to rdiff-backup repositories.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to missing a maximum number of requests per hour that can be made on sensitive endpoints.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade rdiffweb to version 2.5.0a7 or higher.

[,2.5.0a7)
  • L
Origin Validation Error

rdiffweb is an A web interface to rdiff-backup repositories.

Affected versions of this package are vulnerable to Origin Validation Error due to missing checks in tools/secure_headers.py.

How to fix Origin Validation Error?

Upgrade rdiffweb to version 2.5.0a7 or higher.

[,2.5.0a7)
  • M
Open Redirect

rdiffweb is an A web interface to rdiff-backup repositories.

Affected versions of this package are vulnerable to Open Redirect by allowing an attacker to inject a malicious link when sending an email invitation.

How to fix Open Redirect?

Upgrade rdiffweb to version 2.5.0a7 or higher.

[,2.5.0a7)
  • H
Directory Traversal

rdiffweb is an A web interface to rdiff-backup repositories.

Affected versions of this package are vulnerable to Directory Traversal by allowing an attacker to access the /etc/passwd file.

How to fix Directory Traversal?

Upgrade rdiffweb to version 2.4.10 or higher.

[,2.4.10)
  • M
Weak Password Requirements

rdiffweb is an A web interface to rdiff-backup repositories.

Affected versions of this package are vulnerable to Weak Password Requirements due to allowing a user to set a new password that is the same as the previous password, during a password reset.

How to fix Weak Password Requirements?

Upgrade rdiffweb to version 2.5.0a7 or higher.

[,2.5.0a7)
  • M
Allocation of Resources Without Limits or Throttling

rdiffweb is an A web interface to rdiff-backup repositories.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to missing a limit on the password change feature which allows an attacker to bruteforce the old password and set a new password for the account.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade rdiffweb to version 2.5.0a7 or higher.

[,2.5.0a7)
  • M
Allocation of Resources Without Limits or Throttling

rdiffweb is an A web interface to rdiff-backup repositories.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the token name field at the /prefs/tokens endpoint, which can consume excessive resources when a very long string is supplied.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade rdiffweb to version 2.5.0a7 or higher.

[,2.5.0a7)
  • M
Allocation of Resources Without Limits or Throttling

rdiffweb is an A web interface to rdiff-backup repositories.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via Fullname parameter, by allowing an attacker to set a long string name, leading to crashes.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade rdiffweb to version 2.5.0a7 or higher.

[,2.5.0a7)
  • M
Use of Cache Containing Sensitive Information

rdiffweb is an A web interface to rdiff-backup repositories.

Affected versions of this package are vulnerable to Use of Cache Containing Sensitive Information due to improper cache control which allows an attacker to view sensitive information even if the attacker is not logged into the account.

How to fix Use of Cache Containing Sensitive Information?

Upgrade rdiffweb to version 2.4.9 or higher.

[,2.4.9)
  • M
Weak Password Requirements

rdiffweb is an A web interface to rdiff-backup repositories.

Affected versions of this package are vulnerable to Weak Password Requirements due to improper filtering blank spaces used in a password, allowing an attacker to bypass password policy complexity.

How to fix Weak Password Requirements?

Upgrade rdiffweb to version 2.4.9 or higher.

[,2.4.9)
  • M
Improper Handling of Length Parameter Inconsistency

rdiffweb is an A web interface to rdiff-backup repositories.

Affected versions of this package are vulnerable to Improper Handling of Length Parameter Inconsistency due to insufficient checks in user input parameters, by allowing an attacker to set a large email address, leading to memory corruption/possible DOS attack.

How to fix Improper Handling of Length Parameter Inconsistency?

Upgrade rdiffweb to version 2.4.8 or higher.

[,2.4.8)
  • M
Improper Handling of Length Parameter Inconsistency

rdiffweb is an A web interface to rdiff-backup repositories.

Affected versions of this package are vulnerable to Improper Handling of Length Parameter Inconsistency due to insufficient checks in user input parameters, by allowing an attacker to set a username with long string, leading to memory corruption/possible DOS attack.

How to fix Improper Handling of Length Parameter Inconsistency?

Upgrade rdiffweb to version 2.4.8 or higher.

[,2.4.8)
  • M
Allocation of Resources Without Limits or Throttling

rdiffweb is an A web interface to rdiff-backup repositories.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to insufficient checks in user input parameters, by allowing an attacker to set a title with long string while adding a SSH key, leading to memory corruption/possible DOS attack.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade rdiffweb to version 2.4.8 or higher.

[,2.4.8)
  • M
Allocation of Resources Without Limits or Throttling

rdiffweb is an A web interface to rdiff-backup repositories.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to no length limit for user input parameters like root directory name.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade rdiffweb to version 2.4.8 or higher.

[,2.4.8)
  • M
Session Fixation

rdiffweb is an A web interface to rdiff-backup repositories.

Affected versions of this package are vulnerable to Session Fixation. When disconnection from the application, the application continues to use the preauthentication cookies.

How to fix Session Fixation?

Upgrade rdiffweb to version 2.4.7 or higher.

[,2.4.7)
  • M
Sensitive Cookie in HTTPS Session Without "Secure" Attribute

rdiffweb is an A web interface to rdiff-backup repositories.

Affected versions of this package are vulnerable to Sensitive Cookie in HTTPS Session Without "Secure" Attribute due to the cookie session_id not having a secure attribute when the URL is invalid.

How to fix Sensitive Cookie in HTTPS Session Without "Secure" Attribute?

Upgrade rdiffweb to version 2.4.6 or higher.

[0,2.4.6)
  • M
Cross-site Request Forgery (CSRF)

rdiffweb is an A web interface to rdiff-backup repositories.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) by changing the email ID field, which allows an attacker to change the email ID of a user.

How to fix Cross-site Request Forgery (CSRF)?

Upgrade rdiffweb to version 2.4.7 or higher.

[0,2.4.7)
  • M
Cross-site Request Forgery (CSRF)

rdiffweb is an A web interface to rdiff-backup repositories.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) which makes it possible for a malicious attacker to change the settings of repository by sending the URL to the victim.

How to fix Cross-site Request Forgery (CSRF)?

Upgrade rdiffweb to version 2.4.7 or higher.

[,2.4.7)
  • M
Cross-site Request Forgery (CSRF)

rdiffweb is an A web interface to rdiff-backup repositories.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) to the user's email, due to the server accepting GET requests for modifying repository notifications via the user's email.

How to fix Cross-site Request Forgery (CSRF)?

Upgrade rdiffweb to version 2.4.6 or higher.

[0,2.4.6)
  • M
Cross-site Request Forgery (CSRF)

rdiffweb is an A web interface to rdiff-backup repositories.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) via the /delete/admin/ endpoint.

How to fix Cross-site Request Forgery (CSRF)?

Upgrade rdiffweb to version 2.4.5 or higher.

[,2.4.5)
  • H
Cross-site Request Forgery (CSRF)

rdiffweb is an A web interface to rdiff-backup repositories.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) because the server accepts the GET request which results in adding an SSH public key to the profile. This can lead to a bypass of authorization to the system and backups.

How to fix Cross-site Request Forgery (CSRF)?

Upgrade rdiffweb to version 2.4.3 or higher.

[,2.4.3)
  • M
Weak Password Requirements

rdiffweb is an A web interface to rdiff-backup repositories.

Affected versions of this package are vulnerable to Weak Password Requirements due to improper minimum requirements policy.

How to fix Weak Password Requirements?

Upgrade rdiffweb to version 2.4.2 or higher.

[,2.4.2)
  • M
Information Exposure

rdiffweb is an A web interface to rdiff-backup repositories.

Affected versions of this package are vulnerable to Information Exposure via the error page, when providing meaningless user input.

How to fix Information Exposure?

Upgrade rdiffweb to version 2.4.2 or higher.

[,2.4.2)
  • M
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

rdiffweb is an A web interface to rdiff-backup repositories.

Affected versions of this package are vulnerable to Sensitive Cookie in HTTPS Session Without 'Secure' Attribute when the user's session id with the secure attribute is 'False'. This vulnerability allows the user's cookies to be sent to the server with unencrypted requests over the HTTP protocol.

How to fix Sensitive Cookie in HTTPS Session Without 'Secure' Attribute?

Upgrade rdiffweb to version 2.4.2 or higher.

[,2.4.2)
  • M
Improper Restriction of Rendered UI Layers or Frames (Clickjacking)

rdiffweb is an A web interface to rdiff-backup repositories.

Affected versions of this package are vulnerable to Improper Restriction of Rendered UI Layers or Frames (Clickjacking) due to improper validations.

How to fix Improper Restriction of Rendered UI Layers or Frames (Clickjacking)?

Upgrade rdiffweb to version 2.4.1 or higher.

[,2.4.1)