Created by: knopp10000
Fix was made in webpack-dev-server with this push: https://github.com/webpack/webpack-dev-server/commit/e765182e426cbca9c3c09294b02ac2d9737c1d74
Problem description Exposure of Sensitive Information in eventsource When fetching an url with a link to an external site (Redirect), the users Cookies & Autorisation headers are leaked to the third party application. According to the same-origin-policy, the header should be "sanitized."
Severity Score Critical 9.3 / 10 - according to dependabot
Background That PR then updates webpack-dev-server's dependency on sockjs to v. 1.6.1 which includes this commit: https://github.com/sockjs/sockjs-client/commit/1cf4a5a56f76e3137316294e50733476649aec9e which updates eventsource to a version > 1.0.0.
This is the commit which fixes the security issue in Eventsource: https://github.com/EventSource/eventsource/commit/f9f6416567bff62c1af2f4314be51d9870e94bc2