29 matches found
CVE-2023-37259 Cross site scripting in Export Chat feature
matrix-react-sdk is a react-based SDK for inserting a Matrix chat/voip client into a web page. The Export Chat feature includes certain attacker-controlled elements in the generated document without sufficient escaping, leading to stored Cross site scripting XSS. Since the Export Chat feature...
Default CORS config allows any origin with credentials
Impact Origin reflection attack The default CORS configuration is vulnerable to an origin reflection attack. Take the following http4s app app, using the default CORS config, running at https://vulnerable.example.com: scala val routes: HttpRoutesF = HttpRoutes.of case req if req.pathInfo ===...
GHSA-52CF-226F-RHR6 Default CORS config allows any origin with credentials
Impact Origin reflection attack The default CORS configuration is vulnerable to an origin reflection attack. Take the following http4s app app, using the default CORS config, running at https://vulnerable.example.com: scala val routes: HttpRoutesF = HttpRoutes.of case req if req.pathInfo ===...
CVE-2021-39185
Http4s is a minimal, idiomatic Scala interface for HTTP services. In http4s versions 0.21.26 and prior, 0.22.0 through 0.22.2, 0.23.0, 0.23.1, and 1.0.0-M1 through 1.0.0-M24, the default CORS configuration is vulnerable to an origin reflection attack. The middleware is also susceptible to a Null...
CVE-2021-39185
Http4s is a minimal, idiomatic Scala interface for HTTP services. In http4s versions 0.21.26 and prior, 0.22.0 through 0.22.2, 0.23.0, 0.23.1, and 1.0.0-M1 through 1.0.0-M24, the default CORS configuration is vulnerable to an origin reflection attack. The middleware is also susceptible to a Null...
Design/Logic Flaw
Http4s is a minimal, idiomatic Scala interface for HTTP services. In http4s versions 0.21.26 and prior, 0.22.0 through 0.22.2, 0.23.0, 0.23.1, and 1.0.0-M1 through 1.0.0-M24, the default CORS configuration is vulnerable to an origin reflection attack. The middleware is also susceptible to a Null...
CVE-2021-39185
Http4s is affected by a vulnerability in the default CORS configuration that enables origin reflection and a Null Origin Attack for versions 0.21.26 and prior, 0.22.0–0.22.2, 0.23.0, 0.23.1, and 1.0.0-M1 through 1.0.0-M24. The issue stems from the default CORS settings allowing credentialed acces...
CVE-2019-9580
In st2web in StackStorm Web UI before 2.9.3 and 2.10.x before 2.10.3, it is possible to bypass the CORS protection mechanism via a "null" origin value, potentially leading to XSS...
Facebook chat history stealing vulnerability, the impact of the billion Messenger users-vulnerability warning-the black bar safety net
In this article, we describe in detail A in Facebook on find Server security vulnerabilities, this vulnerability might affect millions of CORScross-origin resource sharingin the Origin header to allow“NULL”value of the site, the vulnerability will threat the privacy of the user, the malicious...