Total
29 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-45642 | 1 Ibm | 1 Security Qradar Edr | 2024-11-15 | 5.3 Medium |
| IBM Security ReaQta 3.12 is vulnerable to cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | ||||
| CVE-2024-10315 | 2024-11-12 | N/A | ||
| In Gliffy Online an insecure configuration was discovered in versions before 4.14.0-6. Reported by Ather Iqbal. | ||||
| CVE-2023-36829 | 2 Functional, Sentry | 2 Sentry, Sentry | 2024-11-06 | 6.8 Medium |
| Sentry is an error tracking and performance monitoring platform. Starting in version 23.6.0 and prior to version 23.6.2, the Sentry API incorrectly returns the `access-control-allow-credentials: true` HTTP header if the `Origin` request header ends with the `system.base-hostname` option of Sentry installation. This only affects installations that have `system.base-hostname` option explicitly set, as it is empty by default. Impact is limited since recent versions of major browsers have cross-site cookie blocking enabled by default. However, this flaw could allow other multi-step attacks. The patch has been released in Sentry 23.6.2. | ||||
| CVE-2024-10463 | 2 Mozilla, Redhat | 9 Firefox, Firefox Esr, Thunderbird and 6 more | 2024-11-04 | 7.5 High |
| Video frames could have been leaked between origins in some situations. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Firefox ESR < 115.17, Thunderbird < 128.4, and Thunderbird < 132. | ||||
| CVE-2023-27932 | 3 Apple, Debian, Redhat | 8 Ipados, Iphone Os, Macos and 5 more | 2024-10-09 | 5.5 Medium |
| This issue was addressed with improved state management. This issue is fixed in macOS Ventura 13.3, Safari 16.4, iOS 16.4 and iPadOS 16.4, tvOS 16.4, watchOS 9.4. Processing maliciously crafted web content may bypass Same Origin Policy. | ||||
| CVE-2024-21382 | 2 Google, Microsoft | 2 Android, Edge Chromium | 2024-10-08 | 4.3 Medium |
| Microsoft Edge for Android Information Disclosure Vulnerability | ||||
| CVE-2023-46281 | 1 Siemens | 4 Opcenter Quality, Simatic Pcs Neo, Sinumerik Integrate Runmyhmi \/automotive and 1 more | 2024-10-08 | 7.1 High |
| A vulnerability has been identified in Opcenter Execution Foundation (All versions < V2407), Opcenter Quality (All versions < V2312), SIMATIC PCS neo (All versions < V4.1), SINEC NMS (All versions < V2.0 SP1), Totally Integrated Automation Portal (TIA Portal) V14 (All versions), Totally Integrated Automation Portal (TIA Portal) V15.1 (All versions), Totally Integrated Automation Portal (TIA Portal) V16 (All versions), Totally Integrated Automation Portal (TIA Portal) V17 (All versions < V17 Update 8), Totally Integrated Automation Portal (TIA Portal) V18 (All versions < V18 Update 3). When accessing the UMC Web-UI from affected products, UMC uses an overly permissive CORS policy. This could allow an attacker to trick a legitimate user to trigger unwanted behavior. | ||||
| CVE-2024-23271 | 1 Redhat | 1 Enterprise Linux | 2024-09-25 | 7.3 High |
| A logic issue was addressed with improved checks. This issue is fixed in iOS 17.3 and iPadOS 17.3, Safari 17.3, tvOS 17.3, macOS Sonoma 14.3, watchOS 10.3. A malicious website may cause unexpected cross-origin behavior. | ||||
| CVE-2021-27786 | 1 Hcltech | 1 Onetest Server | 2024-09-16 | 4.6 Medium |
| Cross-origin resource sharing (CORS) enables browsers to perform cross domain requests in a controlled manner. This request has an Origin header that identifies the domain that is making the initial request and defines the protocol between a browser and server to see if the request is allowed. An attacker can take advantage of this and possibly carry out privileged actions and access sensitive information when the Access-Control-Allow-Credentials is enabled. | ||||
| CVE-2024-6449 | 1 Hyperview | 1 Geoportal Toolkit | 2024-09-12 | 6.5 Medium |
| HyperView Geoportal Toolkit in versions lower than 8.5.0 does not restrict cross-domain requests when fetching remote content pointed by one of GET request parameters. An unauthenticated remote attacker can prepare links, which upon opening will load scripts from a remote location controlled by the attacker and execute them in the user space. By manipulating this parameter it is also possible to enumerate some of the devices in Local Area Network in which the server resides. | ||||
| CVE-2023-25603 | 1 Fortinet | 2 Fortiadc, Fortiddos-f | 2024-08-30 | 5.4 Medium |
| A permissive cross-domain policy with untrusted domains vulnerability in Fortinet FortiADC 7.1.0 - 7.1.1, FortiDDoS-F 6.3.0 - 6.3.4 and 6.4.0 - 6.4.1 allow an unauthorized attacker to carry out privileged actions and retrieve sensitive information via crafted web requests. | ||||
| CVE-2024-41657 | 1 Casbin | 1 Casdoor | 2024-08-28 | 8.1 High |
| Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. In Casdoor 1.577.0 and earlier, a logic vulnerability exists in the beego filter CorsFilter that allows any website to make cross domain requests to Casdoor as the logged in user. Due to the a logic error in checking only for a prefix when authenticating the Origin header, any domain can create a valid subdomain with a valid subdomain prefix (Ex: localhost.example.com), allowing the website to make requests to Casdoor as the current signed-in user. | ||||
| CVE-2024-25124 | 2024-08-26 | 9.4 Critical | ||
| Fiber is a web framework written in go. Prior to version 2.52.1, the CORS middleware allows for insecure configurations that could potentially expose the application to multiple CORS-related vulnerabilities. Specifically, it allows setting the Access-Control-Allow-Origin header to a wildcard (`*`) while also having the Access-Control-Allow-Credentials set to true, which goes against recommended security best practices. The impact of this misconfiguration is high as it can lead to unauthorized access to sensitive user data and expose the system to various types of attacks listed in the PortSwigger article linked in the references. Version 2.52.1 contains a patch for this issue. As a workaround, users may manually validate the CORS configurations in their implementation to ensure that they do not allow a wildcard origin when credentials are enabled. The browser fetch api, as well as browsers and utilities that enforce CORS policies, are not affected by this. | ||||
| CVE-2024-41659 | 1 Usememos | 1 Memos | 2024-08-22 | 8.1 High |
| memos is a privacy-first, lightweight note-taking service. A CORS misconfiguration exists in memos 0.20.1 and earlier where an arbitrary origin is reflected with Access-Control-Allow-Credentials set to true. This may allow an attacking website to make a cross-origin request, allowing the attacker to read private information or make privileged changes to the system as the vulnerable user account. This vulnerability is fixed in 0.21.0. | ||||
| CVE-2024-32862 | 1 Johnsoncontrols | 1 Exacqvision Web Service | 2024-08-09 | 6.8 Medium |
| Under certain circumstances the ExacqVision Web Services does not provide sufficient protection from untrusted domains. | ||||
| CVE-2017-20146 | 1 Gorillatoolkit | 1 Handlers | 2024-08-05 | 9.8 Critical |
| Usage of the CORS handler may apply improper CORS headers, allowing the requester to explicitly control the value of the Access-Control-Allow-Origin header, which bypasses the expected behavior of the Same Origin Policy. | ||||
| CVE-2019-14860 | 1 Redhat | 3 Fuse, Jboss Fuse, Syndesis | 2024-08-05 | 6.5 Medium |
| It was found that the Syndesis configuration for Cross-Origin Resource Sharing was set to allow all origins. An attacker could use this lack of protection to conduct phishing attacks and further access unauthorized information. | ||||
| CVE-2021-34435 | 1 Eclipse | 1 Theia | 2024-08-04 | 8.8 High |
| In Eclipse Theia 0.3.9 to 1.8.1, the "mini-browser" extension allows a user to preview HTML files in an iframe inside the IDE. But with the way it is made it is possible for a previewed HTML file to trigger an RCE. This exploit only happens if a user previews a malicious file.. | ||||
| CVE-2022-34366 | 1 Dell | 1 Supportassist For Home Pcs | 2024-08-03 | 6.5 Medium |
| Dell SupportAssist for Home PCs (version 3.11.2 and prior) contain Overly Permissive Cross-domain Whitelist vulnerability. An authenticated non-admin user could potentially exploit the issue and obtain sensitive information. | ||||
| CVE-2023-50940 | 1 Ibm | 1 Powersc | 2024-08-02 | 5.3 Medium |
| IBM PowerSC 1.3, 2.0, and 2.1 uses Cross-Origin Resource Sharing (CORS) which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not being limited to only trusted domains. IBM X-Force ID: 275130. | ||||