Lucene search
K

182 matches found

Cvelist
Cvelist
added 2025/08/20 12:0 a.m.12 views

CVE-2025-50864

An Origin Validation Error in the elysia-cors library thru 1.3.0 allows attackers to bypass Cross-Origin Resource Sharing CORS restrictions. The library incorrectly validates the supplied origin by checking if it is a substring of any domain in the site's CORS policy, rather than performing an...

0.00442EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2025/08/20 12:0 a.m.8 views

PT-2025-34065 · Pypi · @Elysiajs/Cors

Name of the Vulnerable Software and Affected Versions: elysia-cors versions through 1.3.0 Description: An origin validation error in the elysia-cors library allows attackers to bypass Cross-Origin Resource Sharing CORS restrictions. The library incorrectly validates the supplied origin by checkin...

6.5CVSS6.3AI score0.00442EPSS
Exploits0References11
NVD
NVD
added 2025/08/18 6:15 p.m.22 views

CVE-2025-55300

Komari is a lightweight, self-hosted server monitoring tool designed to provide a simple and efficient solution for monitoring server performance. Prior to 1.0.4-fix1, WebSocket upgrader has disabled origin checking, enabling Cross-Site WebSocket Hijacking CSWSH attacks against authenticated user...

8.6CVSS0.00515EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2025/08/18 5:41 p.m.7 views

CVE-2025-55300 Komari Allows Cross-site WebSocket Hijacking

Komari is a lightweight, self-hosted server monitoring tool designed to provide a simple and efficient solution for monitoring server performance. Prior to 1.0.4-fix1, WebSocket upgrader has disabled origin checking, enabling Cross-Site WebSocket Hijacking CSWSH attacks against authenticated user...

8.6CVSS7.7AI score0.00515EPSS
Exploits0References2
Cvelist
Cvelist
added 2025/08/18 5:41 p.m.25 views

CVE-2025-55300 Komari Allows Cross-site WebSocket Hijacking

Komari is a lightweight, self-hosted server monitoring tool designed to provide a simple and efficient solution for monitoring server performance. Prior to 1.0.4-fix1, WebSocket upgrader has disabled origin checking, enabling Cross-Site WebSocket Hijacking CSWSH attacks against authenticated user...

8.6CVSS0.00515EPSS
Exploits0References2
CNNVD
CNNVD
added 2025/08/18 12:0 a.m.16 views

Komari 跨站脚本漏洞

Komari is a simple server monitoring tool from the Komari Moniter open source. A cross-site scripting vulnerability exists in versions prior to Komari 1.0.4-fix1, which stems from the WebSocket updater disabling origin checking, and could lead to cross-site WebSocket hijacking and remote code...

8.6CVSS7.1AI score0.00515EPSS
Exploits0References3
Tenable Nessus
Tenable Nessus
added 2025/08/07 12:0 a.m.5 views

Linux Distros Unpatched Vulnerability : CVE-2025-38213

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - vgacon: Add check for vcorigin address range in vgaconscroll Our in-house Syzkaller reported the following BUG twice, which we believed was the same issue with ...

6.3AI score
Exploits0References3
OSV
OSV
added 2025/07/07 10:13 p.m.2 views

GHSA-36RG-GFQ2-3H56 Better Auth Open Redirect Vulnerability in originCheck Middleware Affects Multiple Routes

Summary An open redirect has been found in the originCheck middleware function, which affects the following routes: /verify-email, /reset-password/:token, /delete-user/callback, /magic-link/verify, /oauth-proxy-callback. Details In the matchesPattern function, url.startsWith can be deceived with ...

5.3CVSS5.7AI score0.00334EPSS
Exploits0References4
OSV
OSV
added 2025/07/07 5:15 p.m.5 views

CVE-2025-53535 Better Auth has an Open Redirect Vulnerability in originCheck Middleware Affecting Multiple Routes

Better Auth is an authentication and authorization library for TypeScript. An open redirect has been found in the originCheck middleware function, which affects the following routes: /verify-email, /reset-password/:token, /delete-user/callback, /magic-link/verify, /oauth-proxy-callback. This...

5.3CVSS7.1AI score0.00334EPSS
Exploits0References3
OSV
OSV
added 2025/05/28 5:44 p.m.6 views

DRUPAL-CONTRIB-2025-074

The module adds the etracker web statistics tracking system to your website. The cookies\etracker submodule allows the inline JavaScript to be included in consent management. However, this does not adequately check whether the provided JavaScript code originates from authorized users. A potential...

7.3CVSS6.7AI score0.00234EPSS
Exploits0References1
OSV
OSV
added 2025/03/10 6:15 a.m.3 views

CVE-2024-11638

The Gtbabel WordPress plugin before 6.6.9 does not ensure that the URL to perform code analysis upon belongs to the blog which could allow unauthenticated attackers to retrieve a logged in user such as admin cookies by making them open a crafted URL as the request made to analysed the URL contain...

8.8CVSS5.8AI score0.00512EPSS
Exploits1References1
BDU FSTEC
BDU FSTEC
added 2025/02/17 12:0 a.m.6 views

The vulnerability of the CORS mechanism of the Vite application development local server allows a perpetrator to gain unauthorized access to protected information.

The vulnerability of the CORS mechanism of the Vite application development local server is related to the lack of origin verification in WebSockets. Exploiting this vulnerability allows an attacker operating remotely to gain unauthorized access to protected information by sending specially craft...

7.8CVSS6.5AI score0.00283EPSS
Exploits1References3Affected Software1
SUSE CVE
SUSE CVE
added 2025/02/14 4:15 a.m.17 views

SUSE CVE-2024-50052

Mattermost versions 9.10.x = 9.10.2, 9.11.x = 9.11.1, 9.5.x = 9.5.9 fail to check that the origin of the message in an integration action matches with the original post metadata which allows an authenticated user to delete an arbitrary post...

4.3CVSS7.9AI score0.0027EPSS
Exploits0References5
Cvelist
Cvelist
added 2025/02/13 3:20 p.m.19 views

CVE-2025-24903 libsignal-service-rs Doesn't Check Origin of Sync Messages

libsignal-service-rs is a Rust version of the libsignal-service-java library which implements the core functionality to communicate with Signal servers. Prior to commit 82d70f6720e762898f34ae76b0894b0297d9b2f8, any contact may forge a sync message, impersonating another device of the local user...

8.5CVSS0.00171EPSS
Exploits0References2
SUSE CVE
SUSE CVE
added 2025/01/30 3:48 a.m.4 views

SUSE CVE-2024-57965

In axios before 1.7.8, lib/helpers/isURLSameOrigin.js does not use a URL object when determining an origin, and has a potentially unwanted setAttribute'href',href call. NOTE: some parties feel that the code change only addresses a warning message from a SAST tool and does not fix a vulnerability...

9.8CVSS8.5AI score0.00369EPSS
Exploits0References4
Cvelist
Cvelist
added 2025/01/29 6:24 p.m.31 views

CVE-2024-10001 Code Injection Vulnerability in GitHub Enterprise Server Allows Arbitrary Code Execution via Message Handling

A Code Injection vulnerability was identified in GitHub Enterprise Server that allowed attackers to inject malicious code into the query selector via the identity property in the message handling function. This enabled the exfiltration of sensitive data by manipulating the DOM, including...

7.1CVSS0.00371EPSS
Exploits0References5
OSV
OSV
added 2025/01/29 9:15 a.m.9 views

CVE-2024-57965

In axios before 1.7.8, lib/helpers/isURLSameOrigin.js does not use a URL object when determining an origin, and has a potentially unwanted setAttribute'href',href call. NOTE: some parties feel that the code change only addresses a warning message from a SAST tool and does not fix a vulnerability...

9.8CVSS6.8AI score
Exploits0References4
OSV
OSV
added 2025/01/29 9:15 a.m.3 views

UBUNTU-CVE-2024-57965

In axios before 1.7.8, lib/helpers/isURLSameOrigin.js does not use a URL object when determining an origin, and has a potentially unwanted setAttribute'href',href call. NOTE: some parties feel that the code change only addresses a warning message from a SAST tool and does not fix a vulnerability...

9.8CVSS7.2AI score0.00369EPSS
Exploits0References4
Cvelist
Cvelist
added 2025/01/29 12:0 a.m.15 views

CVE-2024-57965

In axios before 1.7.8, lib/helpers/isURLSameOrigin.js does not use a URL object when determining an origin, and has a potentially unwanted setAttribute'href',href call. NOTE: some parties feel that the code change only addresses a warning message from a SAST tool and does not fix a vulnerability...

0.00369EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2024/12/25 6:0 a.m.24 views

CVE-2024-10858 Jetpack 13.0-14.0 - Unauthenticated DOM-XSS

The Jetpack WordPress plugin before 14.1 does not properly checks the postmessage origin in its 13.x versions, allowing it to be bypassed and leading to DOM-XSS. The issue only affects websites hosted on WordPress.com...

6.8AI score0.00324EPSS
Exploits1References1
Rows per page
Query Builder