Advisories for Npm/@Haxtheweb/Open-Apis package

Multiple functions conduct substring-only matching to validate hostnames to which basic authorization should be sent. An attacker can append the matched substrings to an attacker-controlled endpoint and capture authentication.

An unauthenticated information disclosure vulnerability exists in the PSU deployment of HAX CMS via the haxPsuUsage API endpoint. This allows any remote unauthenticated user to retrieve a full list of PSU websites hosted on HAX CMS. When chained with other authorization issues (e.g., HAX-3), this could assist in targeted attacks such as unauthorized content modification or deletion.