Decolua 9router Improper Authorization Vulnerability in HTTP Header Handler

A vulnerability allowing improper authorization has been identified in Decolua 9router versions through 0.4.0. The issue arises in the HTTP Header Handler component, specifically within the 'isAuthenticated' function of 'src/dashboardGuard.js'. The vulnerability can be exploited remotely by manipulating the 'Host' header, potentially allowing unauthorized access to sensitive API endpoints such as '/api/keys' and '/api/settings'.

Impact

Exploitation of this vulnerability could lead to unauthorized access to the 9router dashboard, allowing attackers to bypass authentication and access sensitive internal API endpoints. This could result in significant confidentiality and integrity risks.

Remediation

Users are advised to upgrade to Decolua 9router version 0.4.1, which addresses this vulnerability by implementing proper authorization checks and enhancing security measures. The update is available on the Decolua 9router GitHub Releases page.