Dinawo/CDN-APP-INSIDER
1
0
Fork 1
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity
Files
secops/security-update-2026-03-12
CDN-APP-INSIDER/routes/Dpanel/API/NewFolder.js
dinawo 76dc23c861 security: fix vulnerabilities and update security hardening (2026-03-12) 
Code security fixes:
- Fixed 3 critical auth bypass bugs (user.jso, typo → user.json) in RenameFile, NewFolder, DeleteFolder API routes
- Added URL validation (HTTP/HTTPS only) on ProfilPicture and BackgroundCustom endpoints to prevent stored XSS/CSS injection
- Added path traversal protection in Upload.js (resolved path boundary check)
- Removed unsafe-eval from CSP script-src directive
- Removed information disclosure in BuildMetaData error responses
- Removed unused child_process import in BuildMetaData.js

Version bump: 1.2.1-beta → 1.2.2-beta
2026-03-12 17:16:16 +01:00

5.1 KiB
Raw Permalink Blame History

View Raw
Reference in New Issue View Git Blame Copy Permalink