23 matches found
CVE-2025-55462
A CORS misconfiguration in Eramba Community and Enterprise Editions v3.26.0 allows an attacker-controlled Origin header to be reflected in the Access-Control-Allow-Origin response along with Access-Control-Allow-Credentials: true. This permits malicious third-party websites to perform authenticat...
EUVD-2021-14527
Malware in sbrugna...
Rembg CORS misconfiguration
Rembg is a tool to remove images background. In Rembg 2.0.57 and earlier, the CORS middleware is setup incorrectly. All origins are reflected, which allows any website to send cross site requests to the rembg server and thus query any API. Even if authentication were to be enabled, allowcredentia...
GHSA-59QH-FMM7-3G9Q Rembg CORS misconfiguration
Rembg is a tool to remove images background. In Rembg 2.0.57 and earlier, the CORS middleware is setup incorrectly. All origins are reflected, which allows any website to send cross site requests to the rembg server and thus query any API. Even if authentication were to be enabled, allowcredentia...
Origin Validation Error
Overview rembg is a Remove image background Affected versions of this package are vulnerable to Origin Validation Error in the addmiddleware function in scommand.py, which reflects all origins by default. Due to the allowcredentials=True setting, an attacker can send authenticated cross-site...
PYSEC-2025-25
Rembg is a tool to remove images background. In Rembg 2.0.57 and earlier, the CORS middleware is setup incorrectly. All origins are reflected, which allows any website to send cross site requests to the rembg server and thus query any API. Even if authentication were to be enabled, allowcredentia...
Cross-Origin Resource Sharing (CORS) Bypass
github.com/usememos/memos is vulnerable to Cross-Origin Resource Sharing CORS Bypass. The vulnerability is due to a CORS misconfiguration where an arbitrary origin is reflected with Access-Control-Allow-Credentials set to true, which may allow an attacker to perform cross-origin requests,...
CVE-2024-41659 GHSL-2024-034: memos CORS Misconfiguration in server.go
memos is a privacy-first, lightweight note-taking service. A CORS misconfiguration exists in memos 0.20.1 and earlier where an arbitrary origin is reflected with Access-Control-Allow-Credentials set to true. This may allow an attacking website to make a cross-origin request, allowing the attacker...
CVE-2024-41659 GHSL-2024-034: memos CORS Misconfiguration in server.go
memos is a privacy-first, lightweight note-taking service. A CORS misconfiguration exists in memos 0.20.1 and earlier where an arbitrary origin is reflected with Access-Control-Allow-Credentials set to true. This may allow an attacking website to make a cross-origin request, allowing the attacker...
Design/Logic Flaw
Fiber is a web framework written in go. Prior to version 2.52.1, the CORS middleware allows for insecure configurations that could potentially expose the application to multiple CORS-related vulnerabilities. Specifically, it allows setting the Access-Control-Allow-Origin header to a wildcard whil...
CVE-2024-25124 Fiber has Insecure CORS Configuration, Allowing Wildcard Origin with Credentials
Fiber is a web framework written in go. Prior to version 2.52.1, the CORS middleware allows for insecure configurations that could potentially expose the application to multiple CORS-related vulnerabilities. Specifically, it allows setting the Access-Control-Allow-Origin header to a wildcard whil...
CVE-2024-25124 Fiber has Insecure CORS Configuration, Allowing Wildcard Origin with Credentials
Fiber is a web framework written in go. Prior to version 2.52.1, the CORS middleware allows for insecure configurations that could potentially expose the application to multiple CORS-related vulnerabilities. Specifically, it allows setting the Access-Control-Allow-Origin header to a wildcard whil...
CVE-2023-36829 Sentry CORS misconfiguration vulnerability
Sentry is an error tracking and performance monitoring platform. Starting in version 23.6.0 and prior to version 23.6.2, the Sentry API incorrectly returns the access-control-allow-credentials: true HTTP header if the Origin request header ends with the system.base-hostname option of Sentry...
Cross site scripting
Cross-origin resource sharing CORS enables browsers to perform cross domain requests in a controlled manner. This request has an Origin header that identifies the domain that is making the initial request and defines the protocol between a browser and server to see if the request is allowed. An...
CVE-2021-27786
CVE-2021-27786 affects HCL Technologies OneTest Server (versions 10.0, 10.1, 10.2). The root cause is a misconfigured HTML5 CORS policy that lacks origin restrictions, allowing requests from arbitrary origins when Access-Control-Allow-Credentials is enabled. Impact stated in sources includes pote...
CVE-2021-27786 HCL OneTest Server is vulnerable to Cross Origin Resource Sharing: Arbitrary Origin Trusted
Cross-origin resource sharing CORS enables browsers to perform cross domain requests in a controlled manner. This request has an Origin header that identifies the domain that is making the initial request and defines the protocol between a browser and server to see if the request is allowed. An...
Cross site request forgery (csrf)
Open Zaak is a modern, open-source data- and services-layer to enable zaakgericht werken, a Dutch approach to case management. In Open Zaak before version 1.3.3 the Cross-Origin-Resource-Sharing policy in Open Zaak is currently wide open - every client is allowed. This allows evil.com to run...
Taskcafe 0.1.0 / 0.1.1 Cross Origin Resource Sharing
Exploit Title: Taskcafé 0.1.0 and 0.1.1- Cross-Origin Resource Sharing Date: 2020- 09- 02 Exploit Author: Mufaddal Masalawala Vendor Homepage: https://github.com/JordanKnott/ Software Link: https://github.com/JordanKnott/taskcafe Version: 0.1.0 and 0.1.1 Tested on: Kali Linux 2020.3 POC: The web...
Nord Security: Cross Origin Resource Sharing Misconfiguration | Lead to sensitive information
Summary: Cross Origin Resource Sharing Misconfiguration | Lead to sensitive information. Description: An HTML5 cross-origin resource sharing CORS policy controls whether and how content running on other domains can perform two-way interaction with the domain that publishes the policy. The policy ...
U.S. Dept Of Defense: CORS Misconfiguration Leads to Exposing User Data
Vulnerable Asset: https://██████/█████████/ Discovery: - Upon accessing the site we discover two specific response headers which indicates that a cross-domain request for sensitive information might be possible 1. Access-Control-Allow-Origin: injectable 2. Access-Control-Allow-Credentials: true -...