334 matches found
CVE-2025-24964
Vitest CVE-2025-24964 is a remotely exploitable CSWSH (Cross-site WebSocket hijacking) vulnerability in the Vitest API server when api is enabled. The WebSocket server did not validate Origin or enforce authorization, exposing saveTestFile (edits test files) and rerun (executes tests) APIs. An at...
CVE-2025-24964 Remote Code Execution when accessing a malicious website while Vitest API server is listening
Vitest is a testing framework powered by Vite. Affected versions are subject to arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking CSWSH attacks. When api option is enabled Vitest UI enables it, Vitest starts a...
CVE-2025-24010 Vite allows any websites to send any requests to the development server and read the response
Vite is a frontend tooling framework for javascript. Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. This vulnerability is fixed in 6.0.9, 5.4.12, and...
Vite 安全漏洞
Vite is a new front-end builder tool open-sourced by Vite. A security vulnerability exists in Vite that stems from default CORS settings and a lack of validation of the Origin header of a WebSocket connection, which allows any website to send any request to the development server and read the...
PT-2024-20861 · Unknown · 3Dsecure 2.0
Name of the Vulnerable Software and Affected Versions: 3DSecure 2.0 version 3DS Authorization Method Description: A Cross-Site Request Forgery CSRF issue was identified in the Authorization Method of 3DSecure 2.0, allowing for potential exploitation via modified Origin and Referer HTTP headers...
GHSA-MCHX-7J67-8MCF Casdoor CORS misconfiguration (GHSL-2024-035)
Casdoor is a UI-first Identity and Access Management IAM / Single-Sign-On SSO platform. In Casdoor 1.577.0 and earlier, a logic vulnerability exists in the beego filter CorsFilter that allows any website to make cross domain requests to Casdoor as the logged in user. Due to the a logic error in...
CVE-2024-41657
Casdoor is a UI-first Identity and Access Management IAM / Single-Sign-On SSO platform. In Casdoor 1.577.0 and earlier, a logic vulnerability exists in the beego filter CorsFilter that allows any website to make cross domain requests to Casdoor as the logged in user. Due to the a logic error in...
CVE-2024-41657 GHSL-2024-035: Casdoor CORS misconfiguration
Casdoor is a UI-first Identity and Access Management IAM / Single-Sign-On SSO platform. In Casdoor 1.577.0 and earlier, a logic vulnerability exists in the beego filter CorsFilter that allows any website to make cross domain requests to Casdoor as the logged in user. Due to the a logic error in...
The vulnerability of the CORS (Cross-Origin Resource Sharing) mechanism in the exacqVision Web Service web interface of the exacqVision surveillance system allows attackers to circumvent security restrictions and execute cross-origin attacks.
The vulnerability of the CORS Cross-Origin Resource Sharing mechanism in the exacqVision Web Service web interface of the video surveillance system exists due to incorrect processing of the HTTP header “Origin”. Exploiting this vulnerability allows a malicious actor to bypass security restriction...
PT-2024-5518 · Unknown · Exacqvision Web Service
Name of the Vulnerable Software and Affected Versions: ExacqVision Web Services affected versions not specified Description: The issue is related to the ExacqVision Web Services, which under certain circumstances does not provide sufficient protection from untrusted domains. This is due to...
httpd: mod_proxy_uwsgi HTTP response splitting
An HTTP Response Smuggling vulnerability was found in the Apache HTTP Server via modproxyuwsgi. This security issue occurs when special characters in the origin response header can truncate or split the response forwarded to the client...
PT-2024-26989 · Flowise · Flowise
Name of the Vulnerable Software and Affected Versions: Flowise version 1.4.3 Description: The issue is related to a CORS misconfiguration in Flowise, where the Access-Control-Allow-Origin header is set to allow all origins, enabling arbitrary origins to connect to the website. This could allow...
GHSA-3X9G-XFJ5-FQ84 Duplicate Advisory: Cross-Site Request Forgery in Gradio
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-48cq-79qq-6f7x. this link is maintained to preserve external references. Original Description A Cross-Site Request Forgery gives attackers the ability to upload many large files to a victim, if they are running...
PT-2023-31943 · Unknown · Unified Remote
Name of the Vulnerable Software and Affected Versions: Unified Remote version 3.13.0 Description: The issue allows remote attackers to execute arbitrary Lua code because of a wildcarded Access-Control-Allow-Origin for the "Remote upload endpoint". Recommendations: For Unified Remote version 3.13....
Missing Origin Validation
uptime-kuma is vulnerable to Missing Origin Validation. The server doesn't validate the Origin header when a user connects to the server using Socket.IO. An attacker can access protected endpoints and sensitive data by exploiting this vulnerability...
koajs cors security breach
koajs cors is a cross-origin resource share for koa. A security vulnerability exists in koajs cors prior to version 5.0.0, which stems from the fact that if an allowed source is not provided, it will return an Access-Control-Allow-Origin header containing the source value in the request, which...
PT-2023-31363 · Unknown · Uptime Kuma
Name of the Vulnerable Software and Affected Versions: Uptime Kuma versions prior to 1.23.9 Description: Uptime Kuma is a self-hosted monitoring tool that uses WebSocket with Socket.io. Prior to version 1.23.9, the application does not verify the source of communication, allowing third-party...
httpd: mod_proxy_uwsgi HTTP response splitting
An HTTP Response Smuggling vulnerability was found in the Apache HTTP Server via modproxyuwsgi. This security issue occurs when special characters in the origin response header can truncate or split the response forwarded to the client...
httpd: mod_proxy_uwsgi HTTP response splitting
An HTTP Response Smuggling vulnerability was found in the Apache HTTP Server via modproxyuwsgi. This security issue occurs when special characters in the origin response header can truncate or split the response forwarded to the client...
httpd: mod_proxy_uwsgi HTTP response splitting
An HTTP Response Smuggling vulnerability was found in the Apache HTTP Server via modproxyuwsgi. This security issue occurs when special characters in the origin response header can truncate or split the response forwarded to the client...