@@ -9,16 +9,13 @@ description: |
99 ### Impact
1010
1111 Password Pusher comes with a configurable rate limiter.
12- In versions prior to
13- [v1.49.0](https://github.com/pglombardo/PasswordPusher/releases/tag/v1.49.0),
14- the rate limiter could be bypassed by forging proxy headers allowing
15- bad actors to send unlimited traffic to the site potentially causing
16- a denial of service.
12+ In versions prior to [v1.49.0], the rate limiter could be bypassed by forging
13+ proxy headers allowing bad actors to send unlimited traffic to the site
14+ potentially causing a denial of service.
1715
1816 ### Patches
1917
20- In [v1.49.0](https://github.com/pglombardo/PasswordPusher/releases/tag/v1.49.0),
21- a fix was implemented to only authorize proxies on local IPs which
18+ In [v1.49.0], a fix was implemented to only authorize proxies on local IPs which
2219 resolves this issue.
2320
2421 If you are running a remote proxy, please see
@@ -27,18 +24,18 @@ description: |
2724
2825 ### Workarounds
2926
30- It is highly suggested to upgrade to at least
31- [v1.49.0](https://github.com/pglombardo/PasswordPusher/releases/tag/v1.49.0)
32- to mitigate this risk.
27+ It is highly suggested to upgrade to at least [v1.49.0] to mitigate this risk.
3328
3429 If for some reason you cannot immediately upgrade, the alternative
3530 is that you can add rules to your proxy and/or firewall to not
3631 accept external proxy headers such as `X-Forwarded-*` from clients.
3732
3833 ### References
3934
40- The new settings are
41- [configurable to authorize remote proxies](https://docs.pwpush.com/docs/proxies/#trusted-proxies).
35+ The new settings are [configurable to authorize remote proxies][1].
36+
37+ [v1.49.0]: https://github.com/pglombardo/PasswordPusher/releases/tag/v1.49.0
38+ [1]: https://docs.pwpush.com/docs/proxies/#trusted-proxies
4239cvss_v3 : 5.3
4340patched_versions :
4441 - " >= 1.49.0"
0 commit comments