CVE-2025-63388

A Cross-Origin Resource Sharing CORS misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/system-features endpoint. The endpoint implements an overly permissive CORS policy that reflects arbitrary Origin headers and sets Access-Control-Allow-Credentials: true, allowing any...

CVE-2024-41659 GHSL-2024-034: memos CORS Misconfiguration in server.go

memos is a privacy-first, lightweight note-taking service. A CORS misconfiguration exists in memos 0.20.1 and earlier where an arbitrary origin is reflected with Access-Control-Allow-Credentials set to true. This may allow an attacking website to make a cross-origin request, allowing the attacker...

CVE-2024-41659 GHSL-2024-034: memos CORS Misconfiguration in server.go

memos is a privacy-first, lightweight note-taking service. A CORS misconfiguration exists in memos 0.20.1 and earlier where an arbitrary origin is reflected with Access-Control-Allow-Credentials set to true. This may allow an attacking website to make a cross-origin request, allowing the attacker...

HALO 2.13.1 CORS Issue

Title: HALO-2.13.1 Cross-origin resource sharing: arbitrary origin trusted Author: nu11secur1ty Date: 03/15/2024 Vendor: https://www.halo.run/ Software: https://github.com/halo-dev/halo Reference: https://portswigger.net/web-security/cors Description: The application implements an HTML5...

SUSE CVE-2018-18347

Incorrect handling of failed navigations with invalid URLs in Navigation in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to trick a user into executing javascript in an arbitrary origin via a crafted HTML page...

Radancy: Cross-origin resource sharing: arbitrary origin trusted

referred from CWE-942: Permissive Cross-domain Policy with Untrusted Domains Issue detail The application implements an HTML5 cross-origin resource sharing CORS policy for this request that allows access from any domain. The application allowed access from the requested origin https://example.com...

USN-5090-3: Apache HTTP Server regression

USN-5090-1 fixed vulnerabilities in Apache HTTP Server. One of the upstream fixes introduced a regression in UDS URIs. This update fixes the problem. Original advisory details: James Kettle discovered that the Apache HTTP Server HTTP/2 module incorrectly handled certain crafted methods. A remote...

CVE-2018-20744

The Olivier Poitrey Go CORS handler through 1.3.0 actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and could lead to CORS misconfiguration security problems...

DEBIAN-CVE-2018-18347

Incorrect handling of failed navigations with invalid URLs in Navigation in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to trick a user into executing javascript in an arbitrary origin via a crafted HTML page...

CVE-2018-18347

Incorrect handling of failed navigations with invalid URLs in Navigation in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to trick a user into executing javascript in an arbitrary origin via a crafted HTML page...

Hardcoded credentials

Incorrect handling of failed navigations with invalid URLs in Navigation in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to trick a user into executing javascript in an arbitrary origin via a crafted HTML page...

Chaturbate: Cross-origin resource sharing: arbitrary origin trusted on chatws25.stream.highwebmedia.com

Very low-quality reports, such as those which only contain automated output, will be rejected. Summary Hi, i was able to discover a number of instances on chatws25.stream.highwebmedia.com were the application accepts an arbitrarily supplied origin. The application implements an HTML5 cross-origin...