Total
283 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-30949 | 1 Palantir | 1 Slate | 2024-10-15 | 4.3 Medium |
| A missing origin validation in Slate sandbox could be exploited by a malicious user to modify the page's content, which could lead to phishing attacks. | ||||
| CVE-2024-36303 | 1 Trendmicro | 1 Apex One | 2024-10-04 | 7.8 High |
| An origin validation vulnerability in the Trend Micro Apex One security agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This vulnerability is similar to, but not identical to, CVE-2024-36302. | ||||
| CVE-2024-9392 | 2 Mozilla, Redhat | 9 Firefox, Firefox Esr, Thunderbird and 6 more | 2024-10-04 | 9.8 Critical |
| A compromised content process could have allowed for the arbitrary loading of cross-origin pages. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Firefox ESR < 115.16, Thunderbird < 128.3, and Thunderbird < 131. | ||||
| CVE-2022-26137 | 1 Atlassian | 11 Bamboo, Bitbucket, Confluence Data Center and 8 more | 2024-10-03 | 8.8 High |
| A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability: Cross-origin resource sharing (CORS) bypass. Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim’s permissions. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4. | ||||
| CVE-2023-2848 | 1 Movim | 1 Movim | 2024-09-25 | 8 High |
| Movim prior to version 0.22 is affected by a Cross-Site WebSocket Hijacking vulnerability. This was the result of a missing header validation. | ||||
| CVE-2024-44187 | 2 Apple, Redhat | 8 Ipados, Iphone Os, Macos and 5 more | 2024-09-25 | 6.5 Medium |
| A cross-origin issue existed with "iframe" elements. This was addressed with improved tracking of security origins. This issue is fixed in Safari 18, visionOS 2, watchOS 11, macOS Sequoia 15, iOS 18 and iPadOS 18, tvOS 18. A malicious website may exfiltrate data cross-origin. | ||||
| CVE-2024-6301 | 1 Conduit | 1 Conduit | 2024-09-20 | 5.3 Medium |
| Lack of validation of origin in federation API in Conduit, allowing any remote server to impersonate any user from any server in most EDUs | ||||
| CVE-2024-41475 | 2 Gnuboard, Sir | 2 Gnuboard6, Gnuboard | 2024-09-18 | 9.8 Critical |
| Gnuboard g6 6.0.7 is vulnerable to Session hijacking due to a CORS misconfiguration. | ||||
| CVE-2022-24762 | 2 Jcubic, Sysend.js Project | 2 Sysend, Sysend.js | 2024-09-18 | 6.5 Medium |
| sysend.js is a library that allows a user to send messages between pages that are open in the same browser. Users that use cross-origin communication may have their communications intercepted. Impact is limited by the communication occurring in the same browser. This issue has been patched in sysend.js version 1.10.0. The only currently known workaround is to avoid sending communications that a user does not want to have intercepted via sysend messages. | ||||
| CVE-2023-44189 | 1 Juniper | 5 Junos Os Evolved, Ptx10003, Ptx10003 160c and 2 more | 2024-09-18 | 6.1 Medium |
| An Origin Validation vulnerability in MAC address validation of Juniper Networks Junos OS Evolved on PTX10003 Series allows a network-adjacent attacker to bypass MAC address checking, allowing MAC addresses not intended to reach the adjacent LAN to be forwarded to the downstream network. Due to this issue, the router will start forwarding traffic if a valid route is present in forwarding-table, causing a loop and congestion in the downstream layer-2 domain connected to the device. This issue affects Juniper Networks Junos OS Evolved on PTX10003 Series: * All versions prior to 21.4R3-S4-EVO; * 22.1 versions prior to 22.1R3-S3-EVO; * 22.2 version 22.2R1-EVO and later versions; * 22.3 versions prior to 22.3R2-S2-EVO, 22.3R3-S1-EVO; * 22.4 versions prior to 22.4R2-S1-EVO, 22.4R3-EVO; * 23.2 versions prior to 23.2R2-EVO. | ||||
| CVE-2023-44190 | 1 Juniper | 6 Junos Os Evolved, Ptx10001, Ptx10001-36mr and 3 more | 2024-09-18 | 6.1 Medium |
| An Origin Validation vulnerability in MAC address validation of Juniper Networks Junos OS Evolved on PTX10001, PTX10004, PTX10008, and PTX10016 devices allows a network-adjacent attacker to bypass MAC address checking, allowing MAC addresses not intended to reach the adjacent LAN to be forwarded to the downstream network. Due to this issue, the router will start forwarding traffic if a valid route is present in forwarding-table, causing a loop and congestion in the downstream layer-2 domain connected to the device. This issue affects Juniper Networks Junos OS Evolved on PTX10001, PTX10004, PTX10008, and PTX10016: * All versions prior to 21.4R3-S5-EVO; * 22.1 versions prior to 22.1R3-S4-EVO; * 22.2 versions 22.2R1-EVO and later; * 22.3 versions prior to 22.3R2-S2-EVO, 22.3R3-S1-EVO; * 22.4 versions prior to 22.4R2-S1-EVO, 22.4R3-EVO; * 23.2 versions prior to 23.2R1-S1-EVO, 23.2R2-EVO. | ||||
| CVE-2022-1747 | 1 Dominionvoting | 2 Democracy Suite, Imagecast X | 2024-09-17 | 4.6 Medium |
| The authentication mechanism used by voters to activate a voting session on the tested version of Dominion Voting Systems ImageCast X is susceptible to forgery. An attacker could leverage this vulnerability to print an arbitrary number of ballots without authorization. | ||||
| CVE-2020-4881 | 1 Ibm | 1 Planning Analytics | 2024-09-17 | 7.5 High |
| IBM Planning Analytics 2.0 could allow a remote attacker to obtain sensitive information, caused by the lack of server hostname verification for SSL/TLS communication. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information. IBM X-Force ID: 190851. | ||||
| CVE-2017-13274 | 1 Google | 1 Android | 2024-09-17 | N/A |
| In the getHost() function of UriTest.java, there is the possibility of incorrect web origin determination. This could lead to incorrect security decisions with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1. Android ID: A-71360761. | ||||
| CVE-2018-15723 | 1 Logitech | 2 Harmony Hub, Harmony Hub Firmware | 2024-09-17 | N/A |
| The Logitech Harmony Hub before version 4.15.206 is vulnerable to application level command injection via crafted HTTP request. An unauthenticated remote attacker can leverage this vulnerability to execute application defined commands (e.g. harmony.system?systeminfo). | ||||
| CVE-2019-4640 | 2 Ibm, Microsoft | 2 Security Secret Server, Windows | 2024-09-17 | 9.8 Critical |
| IBM Security Secret Server 10.7 processes patches, image backups and other updates without sufficiently verifying the origin and integrity of the code which could result in an attacker executing malicious code. IBM X-Force ID: 170046. | ||||
| CVE-2018-6654 | 1 Grammarly | 1 Grammarly | 2024-09-17 | N/A |
| The Grammarly extension before 2018-02-02 for Chrome allows remote attackers to discover authentication tokens via an 'action: "user"' request to iframe.gr_-ifr, because the exposure of these tokens is not restricted to any specific web site. | ||||
| CVE-2018-20745 | 1 Yiiframework | 1 Yii | 2024-09-17 | N/A |
| Yii 2.x through 2.0.15.1 actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and could lead to CORS misconfiguration security problems. | ||||
| CVE-2017-0902 | 4 Canonical, Debian, Redhat and 1 more | 11 Ubuntu Linux, Debian Linux, Enterprise Linux and 8 more | 2024-09-17 | N/A |
| RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls. | ||||
| CVE-2021-39063 | 2 Ibm, Linux | 2 Spectrum Protect Plus, Linux Kernel | 2024-09-17 | 9.1 Critical |
| IBM Spectrum Protect Plus 10.1.0.0 through 10.1.8.x uses Cross-Origin Resource Sharing (CORS) which could allow an attacker to carry out privileged actions and retrieve sensitive information due to a misconfiguration in access control headers. IBM X-Force ID: 214956. | ||||