Lucene search
K

39 matches found

EUVD
EUVD
added 2025/12/18 6:30 p.m.4 views

EUVD-2025-204306

A Cross-Origin Resource Sharing CORS misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/system-features endpoint. The endpoint implements an overly permissive CORS policy that reflects arbitrary Origin headers and sets Access-Control-Allow-Credentials: true, allowing any...

6.4AI score0.002EPSS
Exploits0References3
EUVD
EUVD
added 2025/12/18 6:30 p.m.6 views

EUVD-2025-204302

A Cross-Origin Resource Sharing CORS misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/setup endpoint. The endpoint implements an insecure CORS policy that reflects any Origin header and enables Access-Control-Allow-Credentials: true, permitting arbitrary external domains t...

6.4AI score0.00212EPSS
Exploits0References3
OSV
OSV
added 2025/12/18 4:15 p.m.6 views

CVE-2025-63386

A Cross-Origin Resource Sharing CORS misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/setup endpoint. The endpoint implements an insecure CORS policy that reflects any Origin header and enables Access-Control-Allow-Credentials: true, permitting arbitrary external domains t...

9.1CVSS5.7AI score
Exploits0References4
Cvelist
Cvelist
added 2025/12/18 12:0 a.m.25 views

CVE-2025-63386

A Cross-Origin Resource Sharing CORS misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/setup endpoint. The endpoint implements an insecure CORS policy that reflects any Origin header and enables Access-Control-Allow-Credentials: true, permitting arbitrary external domains t...

0.00212EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2025/12/18 12:0 a.m.5 views

PT-2025-52262

Name of the Vulnerable Software and Affected Versions Dify version 1.9.1 Description A Cross-Origin Resource Sharing CORS misconfiguration exists in the /console/api/setup endpoint. The endpoint has an insecure CORS policy that reflects any Origin header and allows Access-Control-Allow-Credential...

9.1CVSS6.5AI score0.00212EPSS
Exploits0References11
Vulnrichment
Vulnrichment
added 2025/12/18 12:0 a.m.5 views

CVE-2025-63386

A Cross-Origin Resource Sharing CORS misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/setup endpoint. The endpoint implements an insecure CORS policy that reflects any Origin header and enables Access-Control-Allow-Credentials: true, permitting arbitrary external domains t...

5.7AI score0.00212EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2025/10/28 9:1 p.m.6 views

CVE-2025-62523

PILOS Platform for Interactive Live-Online Seminars is a frontend for BigBlueButton. PILOS before 4.8.0 includes a Cross-Origin Resource Sharing CORS misconfiguration in its middleware: it reflects the Origin request header back in the Access-Control-Allow-Origin response header without proper...

6.3CVSS6.9AI score0.00186EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/10/17 4:55 p.m.7 views

CVE-2025-53092

Strapi is an open source headless content management system. Strapi versions prior to 5.20.0 contain a CORS misconfiguration vulnerability in default installations. By default, Strapi reflects the value of the Origin header back in the Access-Control-Allow-Origin response header without proper...

6.5CVSS6.6AI score0.00263EPSS
Exploits0References1
EUVD
EUVD
added 2025/10/07 12:30 a.m.2 views

EUVD-2021-1978

Malware in sbrugna...

9.1CVSS8.9AI score0.00594EPSS
Exploits0References5
CVE
CVE
added 2025/08/22 12:0 a.m.18 views

CVE-2025-51605

CVE-2025-51605 affects Shopizer 3.2.7. The server’s CORS implementation reflects the Origin header verbatim into Access-Control-Allow-Origin and enables Access-Control-Allow-Credentials: true, allowing authenticated cross-origin requests and read of sensitive responses. Supported by multiple sour...

8.1CVSS6.2AI score0.00202EPSS
Exploits1References1Affected Software1
RedhatCVE
RedhatCVE
added 2025/02/06 3:59 a.m.21 views

CVE-2021-39185

Http4s is a minimal, idiomatic Scala interface for HTTP services. In http4s versions 0.21.26 and prior, 0.22.0 through 0.22.2, 0.23.0, 0.23.1, and 1.0.0-M1 through 1.0.0-M24, the default CORS configuration is vulnerable to an origin reflection attack. The middleware is also susceptible to a Null...

9.1CVSS6.8AI score0.00594EPSS
Exploits0References1
OSV
OSV
added 2021/09/02 4:52 p.m.5 views

GHSA-52CF-226F-RHR6 Default CORS config allows any origin with credentials

Impact Origin reflection attack The default CORS configuration is vulnerable to an origin reflection attack. Take the following http4s app app, using the default CORS config, running at https://vulnerable.example.com: scala val routes: HttpRoutesF = HttpRoutes.of case req if req.pathInfo ===...

9.1CVSS7.1AI score0.00594EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2021/09/02 4:52 p.m.81 views

Default CORS config allows any origin with credentials

Impact Origin reflection attack The default CORS configuration is vulnerable to an origin reflection attack. Take the following http4s app app, using the default CORS config, running at https://vulnerable.example.com: scala val routes: HttpRoutesF = HttpRoutes.of case req if req.pathInfo ===...

9.1CVSS8.4AI score0.00594EPSS
Exploits0References4Affected Software6
NVD
NVD
added 2021/09/01 8:15 p.m.12 views

CVE-2021-39185

Http4s is a minimal, idiomatic Scala interface for HTTP services. In http4s versions 0.21.26 and prior, 0.22.0 through 0.22.2, 0.23.0, 0.23.1, and 1.0.0-M1 through 1.0.0-M24, the default CORS configuration is vulnerable to an origin reflection attack. The middleware is also susceptible to a Null...

9.1CVSS0.00594EPSS
Exploits0References2
OSV
OSV
added 2021/09/01 8:15 p.m.17 views

CVE-2021-39185

Http4s is a minimal, idiomatic Scala interface for HTTP services. In http4s versions 0.21.26 and prior, 0.22.0 through 0.22.2, 0.23.0, 0.23.1, and 1.0.0-M1 through 1.0.0-M24, the default CORS configuration is vulnerable to an origin reflection attack. The middleware is also susceptible to a Null...

9.1CVSS9.2AI score
Exploits0References2
Prion
Prion
added 2021/09/01 8:15 p.m.17 views

Design/Logic Flaw

Http4s is a minimal, idiomatic Scala interface for HTTP services. In http4s versions 0.21.26 and prior, 0.22.0 through 0.22.2, 0.23.0, 0.23.1, and 1.0.0-M1 through 1.0.0-M24, the default CORS configuration is vulnerable to an origin reflection attack. The middleware is also susceptible to a Null...

6.4CVSS9.1AI score0.00594EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2020/01/23 6:15 p.m.6 views

CVE-2019-16517

An issue was discovered in ConnectWise Control formerly known as ScreenConnect 19.3.25270.7185. There is a CORS misconfiguration, which reflected the Origin provided by incoming requests. This allowed JavaScript running on any domain to interact with the server APIs and perform administrative...

9.8CVSS7.3AI score0.01327EPSS
Exploits1References5
Kitploit
Kitploit
added 2019/12/05 8:30 p.m.99 views

CORStest - A Simple CORS Misconfiguration Scanner

A simple CORSmisconfiguration scanner Based on theresearch of James Kettle CORStest is a quick & dirty Python 2 tool to find Cross-Origin Resource Sharing CORS misconfigurations. It takes a text file as input which may contain a list of domain names or URLs. Currently, the following potential...

6.4AI score
Exploits0References1
Positive Technologies
Positive Technologies
added 2019/01/28 12:0 a.m.4 views

PT-2019-10198 · Olivier Poitrey · Go Cors Handler

Name of the Vulnerable Software and Affected Versions: Olivier Poitrey Go CORS handler versions 1.3.0 and earlier Description: The issue arises from the active conversion of a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security desig...

5.9CVSS5.6AI score0.00717EPSS
Exploits0References12
Rows per page
Query Builder