rdiffweb@2.5.2 vulnerabilities

A web interface to rdiff-backup repositories.

Direct Vulnerabilities

Known vulnerabilities in the rdiffweb package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Allocation of Resources Without Limits or Throttling

rdiffweb is an A web interface to rdiff-backup repositories.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling by exploiting the lack of resource allocation limits or throttling when creating access tokens.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade rdiffweb to version 2.8.4 or higher.

[,2.8.4)
  • M
Allocation of Resources Without Limits or Throttling

rdiffweb is an A web interface to rdiff-backup repositories.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling. There is no rate limit on the send report feature on the https://rdiffweb-dev.ikus-soft.com/prefs/notification endpoint, which allows an attacker to spam the victim's mailbox.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade rdiffweb to version 2.8.1 or higher.

[,2.8.1)
  • M
Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)

rdiffweb is an A web interface to rdiff-backup repositories.

Affected versions of this package are vulnerable to Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) by allowing SSH key names formatted like URL strings to be automatically converted into links.

How to fix Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)?

Upgrade rdiffweb to version 2.5.5 or higher.

[,2.5.5)
  • M
Open Redirect

rdiffweb is an A web interface to rdiff-backup repositories.

Affected versions of this package are vulnerable to Open Redirect by allowing an attacker to inject a malicious link when sending an email invitation.

How to fix Open Redirect?

Upgrade rdiffweb to version 2.5.5 or higher.

[,2.5.5)
  • M
Business Logic Errors

rdiffweb is an A web interface to rdiff-backup repositories.

Affected versions of this package are vulnerable to Business Logic Errors such that if an attacker is able to add SSH key by any means, the user will remain unaware of this change.

How to fix Business Logic Errors?

Upgrade rdiffweb to version 2.5.5 or higher.

[,2.5.5)
  • H
Authentication Bypass by Primary Weakness

rdiffweb is an A web interface to rdiff-backup repositories.

Affected versions of this package are vulnerable to Authentication Bypass by Primary Weakness due to the Username field not being unique, leading to broken authorization.

How to fix Authentication Bypass by Primary Weakness?

Upgrade rdiffweb to version 2.5.5 or higher.

[,2.5.5)
  • M
Access Control Bypass

rdiffweb is an A web interface to rdiff-backup repositories.

Affected versions of this package are vulnerable to Access Control Bypass by allowing multiple users to authenticate with the same SSH key.

How to fix Access Control Bypass?

Upgrade rdiffweb to version 2.5.5 or higher.

[,2.5.5)
  • M
Allocation of Resources Without Limits or Throttling

rdiffweb is an A web interface to rdiff-backup repositories.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via /prefs/mfa endpoint, due to missing a rate limit on email triggering.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade rdiffweb to version 2.5.5 or higher.

[,2.5.5)
  • M
Cross-site Request Forgery (CSRF)

rdiffweb is an A web interface to rdiff-backup repositories.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) due to insufficient checks in the /logout endpoint.

How to fix Cross-site Request Forgery (CSRF)?

Upgrade rdiffweb to version 2.5.4 or higher.

[,2.5.4)
  • M
Open Redirect

rdiffweb is an A web interface to rdiff-backup repositories.

Affected versions of this package are vulnerable to Open Redirect due to improper validation of the header value, allowing the attacker to supply invalid input.

How to fix Open Redirect?

Upgrade rdiffweb to version 2.5.4 or higher.

[,2.5.4)