380 matches found
CVE-2024-7819
A CORS misconfiguration in danswer-ai/danswer v1.4.1 allows attackers to steal sensitive information such as chat contents, API keys, and other data. This vulnerability occurs due to improper validation of the origin header, enabling malicious web pages to make unauthorized requests to the...
CVE-2024-7819
A CORS misconfiguration in danswer-ai/danswer v1.4.1 allows attackers to steal sensitive information such as chat contents, API keys, and other data. This vulnerability occurs due to improper validation of the origin header, enabling malicious web pages to make unauthorized requests to the...
CVE-2024-7819 CORS Misconfiguration in danswer-ai/danswer
A CORS misconfiguration in danswer-ai/danswer v1.4.1 allows attackers to steal sensitive information such as chat contents, API keys, and other data. This vulnerability occurs due to improper validation of the origin header, enabling malicious web pages to make unauthorized requests to the...
CVE-2024-7819
A CVE-2024-7819 entry concerns danswer-ai/danswer v1.4.1. The vulnerability is a CORS misconfiguration caused by improper validation of the origin header, enabling malicious web pages to issue unauthorized requests to the application's API and potentially disclose sensitive data (e.g., chat conte...
Remote Code Execution (RCE)
Vitest is vulnerable to Remote Code Execution RCE. The vulnerability is due to the WebSocket server not validating the Origin header and lacking an authorization mechanism, allowing an attacker to inject and execute arbitrary code via the saveTestFile and rerun APIs...
CVE-2025-24964 Remote Code Execution when accessing a malicious website while Vitest API server is listening
Vitest is a testing framework powered by Vite. Affected versions are subject to arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking CSWSH attacks. When api option is enabled Vitest UI enables it, Vitest starts a...
CVE-2025-24964
Vitest CVE-2025-24964 is a remotely exploitable CSWSH (Cross-site WebSocket hijacking) vulnerability in the Vitest API server when api is enabled. The WebSocket server did not validate Origin or enforce authorization, exposing saveTestFile (edits test files) and rerun (executes tests) APIs. An at...
CVE-2025-24010 Vite allows any websites to send any requests to the development server and read the response
Vite is a frontend tooling framework for javascript. Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. This vulnerability is fixed in 6.0.9, 5.4.12, and...
Vite 安全漏洞
Vite is a new front-end builder tool open-sourced by Vite. A security vulnerability exists in Vite that stems from default CORS settings and a lack of validation of the Origin header of a WebSocket connection, which allows any website to send any request to the development server and read the...
PT-2024-20861 · Unknown · 3Dsecure 2.0
Name of the Vulnerable Software and Affected Versions: 3DSecure 2.0 version 3DS Authorization Method Description: A Cross-Site Request Forgery CSRF issue was identified in the Authorization Method of 3DSecure 2.0, allowing for potential exploitation via modified Origin and Referer HTTP headers...
GHSA-MCHX-7J67-8MCF Casdoor CORS misconfiguration (GHSL-2024-035)
Casdoor is a UI-first Identity and Access Management IAM / Single-Sign-On SSO platform. In Casdoor 1.577.0 and earlier, a logic vulnerability exists in the beego filter CorsFilter that allows any website to make cross domain requests to Casdoor as the logged in user. Due to the a logic error in...
CVE-2024-41657
Casdoor is a UI-first Identity and Access Management IAM / Single-Sign-On SSO platform. In Casdoor 1.577.0 and earlier, a logic vulnerability exists in the beego filter CorsFilter that allows any website to make cross domain requests to Casdoor as the logged in user. Due to the a logic error in...
CVE-2024-41657 GHSL-2024-035: Casdoor CORS misconfiguration
Casdoor is a UI-first Identity and Access Management IAM / Single-Sign-On SSO platform. In Casdoor 1.577.0 and earlier, a logic vulnerability exists in the beego filter CorsFilter that allows any website to make cross domain requests to Casdoor as the logged in user. Due to the a logic error in...
The vulnerability of the CORS (Cross-Origin Resource Sharing) mechanism in the exacqVision Web Service web interface of the exacqVision surveillance system allows attackers to circumvent security restrictions and execute cross-origin attacks.
The vulnerability of the CORS Cross-Origin Resource Sharing mechanism in the exacqVision Web Service web interface of the video surveillance system exists due to incorrect processing of the HTTP header “Origin”. Exploiting this vulnerability allows a malicious actor to bypass security restriction...
PT-2024-5518 · Unknown · Exacqvision Web Service
Name of the Vulnerable Software and Affected Versions: ExacqVision Web Services affected versions not specified Description: The issue is related to the ExacqVision Web Services, which under certain circumstances does not provide sufficient protection from untrusted domains. This is due to...
httpd: mod_proxy_uwsgi HTTP response splitting
An HTTP Response Smuggling vulnerability was found in the Apache HTTP Server via modproxyuwsgi. This security issue occurs when special characters in the origin response header can truncate or split the response forwarded to the client...
PT-2024-26989 · Flowise · Flowise
Name of the Vulnerable Software and Affected Versions: Flowise version 1.4.3 Description: The issue is related to a CORS misconfiguration in Flowise, where the Access-Control-Allow-Origin header is set to allow all origins, enabling arbitrary origins to connect to the website. This could allow...
GHSA-3X9G-XFJ5-FQ84 Duplicate Advisory: Cross-Site Request Forgery in Gradio
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-48cq-79qq-6f7x. this link is maintained to preserve external references. Original Description A Cross-Site Request Forgery gives attackers the ability to upload many large files to a victim, if they are running...
PT-2023-31943 · Unknown · Unified Remote
Name of the Vulnerable Software and Affected Versions: Unified Remote version 3.13.0 Description: The issue allows remote attackers to execute arbitrary Lua code because of a wildcarded Access-Control-Allow-Origin for the "Remote upload endpoint". Recommendations: For Unified Remote version 3.13....
Missing Origin Validation
uptime-kuma is vulnerable to Missing Origin Validation. The server doesn't validate the Origin header when a user connects to the server using Socket.IO. An attacker can access protected endpoints and sensitive data by exploiting this vulnerability...