SB20260420102 - Multiple vulnerabilities in titra

Description

This security bulletin contains information about 2 vulnerabilities.

1) Origin validation error (CVE-ID: N/A)

The vulnerability allows a remote attacker to bypass domain whitelist restrictions and trigger unauthorized webhook processing.

The vulnerability exists due to origin validation error in the webhook verification endpoint in server/APIroutes.js when handling requests with user-controlled Host or X-Forwarded-Host headers. A remote attacker can send a specially crafted request with a malicious header value to bypass domain whitelist restrictions and trigger unauthorized webhook processing.

Only deployments that use the webhook verification feature are affected in practice, and the impact may include SSRF-like behavior if internal domains are present in the whitelist.

2) Information disclosure (CVE-ID: N/A)

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in the globalsettings Meteor publication when handling DDP subscription requests. A remote user can subscribe to the publication using a non-admin account to disclose sensitive information.

Exposed data includes configuration fields such as google_secret, openai_apikey, and google_clientid.

Remediation

Install update from vendor's website.

References

• https://github.com/titraio/titra/security/advisories/GHSA-gjh8-7jqw-5gqh
• https://github.com/titraio/titra/security/advisories/GHSA-4h9p-49hg-vppw
• https://github.com/advisories/GHSA-4h9p-49hg-vppw