182 matches found
CVE-2025-50864
An Origin Validation Error in the elysia-cors library thru 1.3.0 allows attackers to bypass Cross-Origin Resource Sharing CORS restrictions. The library incorrectly validates the supplied origin by checking if it is a substring of any domain in the site's CORS policy, rather than performing an...
PT-2025-34065 · Pypi · @Elysiajs/Cors
Name of the Vulnerable Software and Affected Versions: elysia-cors versions through 1.3.0 Description: An origin validation error in the elysia-cors library allows attackers to bypass Cross-Origin Resource Sharing CORS restrictions. The library incorrectly validates the supplied origin by checkin...
CVE-2025-55300
Komari is a lightweight, self-hosted server monitoring tool designed to provide a simple and efficient solution for monitoring server performance. Prior to 1.0.4-fix1, WebSocket upgrader has disabled origin checking, enabling Cross-Site WebSocket Hijacking CSWSH attacks against authenticated user...
CVE-2025-55300 Komari Allows Cross-site WebSocket Hijacking
Komari is a lightweight, self-hosted server monitoring tool designed to provide a simple and efficient solution for monitoring server performance. Prior to 1.0.4-fix1, WebSocket upgrader has disabled origin checking, enabling Cross-Site WebSocket Hijacking CSWSH attacks against authenticated user...
CVE-2025-55300 Komari Allows Cross-site WebSocket Hijacking
Komari is a lightweight, self-hosted server monitoring tool designed to provide a simple and efficient solution for monitoring server performance. Prior to 1.0.4-fix1, WebSocket upgrader has disabled origin checking, enabling Cross-Site WebSocket Hijacking CSWSH attacks against authenticated user...
Komari 跨站脚本漏洞
Komari is a simple server monitoring tool from the Komari Moniter open source. A cross-site scripting vulnerability exists in versions prior to Komari 1.0.4-fix1, which stems from the WebSocket updater disabling origin checking, and could lead to cross-site WebSocket hijacking and remote code...
Linux Distros Unpatched Vulnerability : CVE-2025-38213
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - vgacon: Add check for vcorigin address range in vgaconscroll Our in-house Syzkaller reported the following BUG twice, which we believed was the same issue with ...
GHSA-36RG-GFQ2-3H56 Better Auth Open Redirect Vulnerability in originCheck Middleware Affects Multiple Routes
Summary An open redirect has been found in the originCheck middleware function, which affects the following routes: /verify-email, /reset-password/:token, /delete-user/callback, /magic-link/verify, /oauth-proxy-callback. Details In the matchesPattern function, url.startsWith can be deceived with ...
CVE-2025-53535 Better Auth has an Open Redirect Vulnerability in originCheck Middleware Affecting Multiple Routes
Better Auth is an authentication and authorization library for TypeScript. An open redirect has been found in the originCheck middleware function, which affects the following routes: /verify-email, /reset-password/:token, /delete-user/callback, /magic-link/verify, /oauth-proxy-callback. This...
DRUPAL-CONTRIB-2025-074
The module adds the etracker web statistics tracking system to your website. The cookies\etracker submodule allows the inline JavaScript to be included in consent management. However, this does not adequately check whether the provided JavaScript code originates from authorized users. A potential...
CVE-2024-11638
The Gtbabel WordPress plugin before 6.6.9 does not ensure that the URL to perform code analysis upon belongs to the blog which could allow unauthenticated attackers to retrieve a logged in user such as admin cookies by making them open a crafted URL as the request made to analysed the URL contain...
The vulnerability of the CORS mechanism of the Vite application development local server allows a perpetrator to gain unauthorized access to protected information.
The vulnerability of the CORS mechanism of the Vite application development local server is related to the lack of origin verification in WebSockets. Exploiting this vulnerability allows an attacker operating remotely to gain unauthorized access to protected information by sending specially craft...
SUSE CVE-2024-50052
Mattermost versions 9.10.x = 9.10.2, 9.11.x = 9.11.1, 9.5.x = 9.5.9 fail to check that the origin of the message in an integration action matches with the original post metadata which allows an authenticated user to delete an arbitrary post...
CVE-2025-24903 libsignal-service-rs Doesn't Check Origin of Sync Messages
libsignal-service-rs is a Rust version of the libsignal-service-java library which implements the core functionality to communicate with Signal servers. Prior to commit 82d70f6720e762898f34ae76b0894b0297d9b2f8, any contact may forge a sync message, impersonating another device of the local user...
SUSE CVE-2024-57965
In axios before 1.7.8, lib/helpers/isURLSameOrigin.js does not use a URL object when determining an origin, and has a potentially unwanted setAttribute'href',href call. NOTE: some parties feel that the code change only addresses a warning message from a SAST tool and does not fix a vulnerability...
CVE-2024-10001 Code Injection Vulnerability in GitHub Enterprise Server Allows Arbitrary Code Execution via Message Handling
A Code Injection vulnerability was identified in GitHub Enterprise Server that allowed attackers to inject malicious code into the query selector via the identity property in the message handling function. This enabled the exfiltration of sensitive data by manipulating the DOM, including...
CVE-2024-57965
In axios before 1.7.8, lib/helpers/isURLSameOrigin.js does not use a URL object when determining an origin, and has a potentially unwanted setAttribute'href',href call. NOTE: some parties feel that the code change only addresses a warning message from a SAST tool and does not fix a vulnerability...
UBUNTU-CVE-2024-57965
In axios before 1.7.8, lib/helpers/isURLSameOrigin.js does not use a URL object when determining an origin, and has a potentially unwanted setAttribute'href',href call. NOTE: some parties feel that the code change only addresses a warning message from a SAST tool and does not fix a vulnerability...
CVE-2024-57965
In axios before 1.7.8, lib/helpers/isURLSameOrigin.js does not use a URL object when determining an origin, and has a potentially unwanted setAttribute'href',href call. NOTE: some parties feel that the code change only addresses a warning message from a SAST tool and does not fix a vulnerability...
CVE-2024-10858 Jetpack 13.0-14.0 - Unauthenticated DOM-XSS
The Jetpack WordPress plugin before 14.1 does not properly checks the postmessage origin in its 13.x versions, allowing it to be bypassed and leading to DOM-XSS. The issue only affects websites hosted on WordPress.com...