The connection confirmation pop-up of a specific feature in the PcSuite can be bypassed.

SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, SillyTavern accepts Remote-User (Authelia) and X-Authentik-Username (Authentik) HTTP headers to automatically log in users when SSO is configured. There is no validation that these headers originate f

e107 is a content management system (CMS). Prior to 2.3.4, a Host Header Injection vulnerability in the password reset page allows attackers to manipulate the Host header to generate password reset links pointing to attacker-controlled domains. This can lead to phishing attacks, account takeover, or other security risks. The severity is high, as the vulnerability affects a critical function relate

## Resolution SillyTavern 1.18.0 now includes a configuration option to limit which IP addresses can authorize using SSO headers, limiting to just loopback addresses by default. A setting can be customized according to user's needs. Documentation: https://docs.sillytavern.app/administration/sso/ ## Summary SillyTavern accepts `Remote-User` (Authelia) and `X-Authentik-Username` (Authentik) HTTP

A vulnerability in Remote Spark SparkView before build 1122 allows an attacker to bypasses the local connection check and achieve arbitrary code execution as root on the server side. Depending on implementation the vulnerability can be exploited by an unauthenticated attacker.

### Summary Bandit reflects the client-supplied URI scheme into `conn.scheme` without verifying the actual transport. Over a plaintext HTTP/1.1 connection (or h2c), an unauthenticated attacker can send an absolute-form request target like `GET https://victim/path HTTP/1.1` and the application observes `conn.scheme = :https` even though no TLS was negotiated. Any downstream Plug logic that trusts `

Bandit是一个Elixir HTTP服务器。在1.0.0至1.11.0之前版本中，存在一个安全决策依赖于不可信输入的漏洞。具体而言，函数`Elixir.Bandit.Pipeline.determine_scheme/2`在处理HTTP/1.1 absolute-form请求目标（例如`GET https://victim/path HTTP/1.1`）以及HTTP/2 `:scheme`伪头部时，直接使用客户端提供的URI scheme字符串，而未验证传输层是否实际启用了TLS（即忽略`transport.secure?`标志）。攻击者可通过明文TCP连接，在请求中声明`https` scheme，导致Bandit将连接标记为`conn.scheme = :https`，即使未进行任何TLS握手。下游Plug中间件（如`Plug.SSL`）会依据`conn.scheme`做出安全决策：`Plug.SSL`的`already-secure`分支会跳过HTTP到HTTPS的重定向，使得本应强制使用HTTPS的请求继续以明文传输；设置了`secure: true`属性的Cookies也会通过明文连接发送；审计日志错误地将请求记录为HTTPS；此外，CSRF保护和SameSite机制也可能基于错误的scheme做出不安全的判断。攻击者利用这一漏洞可以实施中间人攻击，劫持会话、窃取敏感数据或绕过安全策略。受影响的版本为bandit 1.0.0至1.10.x。建议用户立即升级至bandit 1.11.0或更高版本；对于无法立即升级的环境，应限制服务器的网络暴露，仅允许可信网络访问，并在反向代理层终止TLS后再将请求转发至Bandit。