49 matches found
CVE-2021-41101
wire-server is an open-source back end for Wire, a secure collaboration platform. Before version 2.106.0, the CORS Access-Control-Allow-Origin header set by nginz is set for all subdomains of .wire.com including wire.com. This means that if somebody were to find an XSS vector in any of the...
CVE-2025-62523
PILOS Platform for Interactive Live-Online Seminars is a frontend for BigBlueButton. PILOS before 4.8.0 includes a Cross-Origin Resource Sharing CORS misconfiguration in its middleware: it reflects the Origin request header back in the Access-Control-Allow-Origin response header without proper...
EUVD-2020-25955
Malware in sbrugna...
Sensitive Data Exposure
github.com/cilium/cilium is vulnerable to Sensitive Data Exposure. The vulnerability is due to improper default configuration of the Access-Control-Allow-Origin header, which allows cross-origin requests from untrusted sources, potentially exposing sensitive information when accessing the Hubble ...
GHSA-66F2-XXGM-F6XP Flowise Cors Misconfiguration in packages/server/src/index.ts
Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, A CORS misconfiguration sets the Access-Control-Allow-Origin header to all, allowing arbitrary origins to connect to the website. In the default configuration unauthenticated,...
Origin Validation Error
flowise is vulnerable to a CORS misconfiguration. The vulnerability is due to the Access-Control-Allow-Origin header being set to allow all origins, permitting arbitrary origins to connect to the website. In the default unauthenticated configuration, attackers can exploit this to make requests to...
CVE-2024-36421
Flowise 1.4.3 is affected by a CORS misconfiguration that sets Access-Control-Allow-Origin to '*' (all origins), in the default unauthenticated configuration enabling arbitrary origins to connect. This misconfiguration may be chained with path injection to permit reading arbitrary files from the ...
CVE-2024-36421 GHSL-2023-234: Flowise Cors Misconfiguration in packages/server/src/index.ts
Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, A CORS misconfiguration sets the Access-Control-Allow-Origin header to all, allowing arbitrary origins to connect to the website. In the default configuration unauthenticated,...
Design/Logic Flaw
Fiber is a web framework written in go. Prior to version 2.52.1, the CORS middleware allows for insecure configurations that could potentially expose the application to multiple CORS-related vulnerabilities. Specifically, it allows setting the Access-Control-Allow-Origin header to a wildcard whil...
CVE-2024-25124 Fiber has Insecure CORS Configuration, Allowing Wildcard Origin with Credentials
Fiber is a web framework written in go. Prior to version 2.52.1, the CORS middleware allows for insecure configurations that could potentially expose the application to multiple CORS-related vulnerabilities. Specifically, it allows setting the Access-Control-Allow-Origin header to a wildcard whil...
CVE-2024-25124 Fiber has Insecure CORS Configuration, Allowing Wildcard Origin with Credentials
Fiber is a web framework written in go. Prior to version 2.52.1, the CORS middleware allows for insecure configurations that could potentially expose the application to multiple CORS-related vulnerabilities. Specifically, it allows setting the Access-Control-Allow-Origin header to a wildcard whil...
CVE-2023-52252
Unified Remote 3.13.0 allows remote attackers to execute arbitrary Lua code because of a wildcarded Access-Control-Allow-Origin for the Remote upload endpoint...
Design/Logic Flaw
Unified Remote 3.13.0 allows remote attackers to execute arbitrary Lua code because of a wildcarded Access-Control-Allow-Origin for the Remote upload endpoint...
CVE-2023-52252
CVE-2023-52252 affects Unified Remote 3.13.0. The root cause is a wildcarded Access-Control-Allow-Origin header on the Remote upload endpoint, enabling remote attackers to execute arbitrary Lua code. The impact reported is remote code execution with high confidentiality/integrity/availability ris...
CVE-2023-52252
Unified Remote 3.13.0 allows remote attackers to execute arbitrary Lua code because of a wildcarded Access-Control-Allow-Origin for the Remote upload endpoint...
Unified Remote 3.13.0 - Remote Code Execution Exploit
Exploit Title: Unified Remote 3.13.0 - Remote Code Execution RCE Google Dork: NA Exploit Author: H4rk3nz0 Vendor Homepage: https://www.unifiedremote.com/ Software Link: https://www.unifiedremote.com/download/windows Version: 3.13.0 Current Tested on: Windows CVE : NA Due to the use of...
Unified Remote 3.13.0 Remote Code Execution
Exploit Title: Unified Remote 3.13.0 - Remote Code Execution RCE Google Dork: NA Date: 03/03/2023 Exploit Author: H4rk3nz0 Vendor Homepage: https://www.unifiedremote.com/ Software Link: https://www.unifiedremote.com/download/windows Version: 3.13.0 Current Tested on: Windows CVE : NA Due to the u...
Unified Remote 3.13.0 - Remote Code Execution (RCE)
Exploit Title: Unified Remote 3.13.0 - Remote Code Execution RCE Google Dork: NA Date: 03/03/2023 Exploit Author: H4rk3nz0 Vendor Homepage: https://www.unifiedremote.com/ Software Link: https://www.unifiedremote.com/download/windows Version: 3.13.0 Current Tested on: Windows CVE : NA Due to the u...
CVE-2023-23128
Connectwise Control 22.8.10013.8329 is vulnerable to Cross Origin Resource Sharing CORS. The vendor's position is that two endpoints have Access-Control-Allow-Origin wildcarding to support product functionality, and that there is no risk from this behavior. The vulnerability report is thus not...
CVE-2017-20146
A flaw was found in Gorilla. Usage of the CORS handler may apply improper CORS headers, allowing the requester to explicitly control the value of the Access-Control-Allow-Origin header, which bypasses the expected behavior of the Same Origin Policy...