Lucene search
+L

380 matches found

RedhatCVE
RedhatCVE
added 2025/03/22 12:35 p.m.10 views

CVE-2024-7819

A CORS misconfiguration in danswer-ai/danswer v1.4.1 allows attackers to steal sensitive information such as chat contents, API keys, and other data. This vulnerability occurs due to improper validation of the origin header, enabling malicious web pages to make unauthorized requests to the...

7.4CVSS6.5AI score0.00261EPSS
Exploits0References1
NVD
NVD
added 2025/03/20 10:15 a.m.6 views

CVE-2024-7819

A CORS misconfiguration in danswer-ai/danswer v1.4.1 allows attackers to steal sensitive information such as chat contents, API keys, and other data. This vulnerability occurs due to improper validation of the origin header, enabling malicious web pages to make unauthorized requests to the...

7.4CVSS0.00261EPSS
Exploits0References1
Cvelist
Cvelist
added 2025/03/20 10:9 a.m.15 views

CVE-2024-7819 CORS Misconfiguration in danswer-ai/danswer

A CORS misconfiguration in danswer-ai/danswer v1.4.1 allows attackers to steal sensitive information such as chat contents, API keys, and other data. This vulnerability occurs due to improper validation of the origin header, enabling malicious web pages to make unauthorized requests to the...

7.4CVSS0.00261EPSS
Exploits0References1
CVE
CVE
added 2025/03/20 10:9 a.m.72 views

CVE-2024-7819

A CVE-2024-7819 entry concerns danswer-ai/danswer v1.4.1. The vulnerability is a CORS misconfiguration caused by improper validation of the origin header, enabling malicious web pages to issue unauthorized requests to the application's API and potentially disclose sensitive data (e.g., chat conte...

7.4CVSS6.5AI score0.00261EPSS
Exploits0References1
Veracode
Veracode
added 2025/02/05 1:30 a.m.15 views

Remote Code Execution (RCE)

Vitest is vulnerable to Remote Code Execution RCE. The vulnerability is due to the WebSocket server not validating the Origin header and lacking an authorization mechanism, allowing an attacker to inject and execute arbitrary code via the saveTestFile and rerun APIs...

9.6CVSS8.1AI score0.0067EPSS
Exploits1References8Affected Software1
OSV
OSV
added 2025/02/04 7:36 p.m.6 views

CVE-2025-24964 Remote Code Execution when accessing a malicious website while Vitest API server is listening

Vitest is a testing framework powered by Vite. Affected versions are subject to arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking CSWSH attacks. When api option is enabled Vitest UI enables it, Vitest starts a...

9.6CVSS8.7AI score0.0067EPSS
Exploits1References6
CVE
CVE
added 2025/02/04 7:36 p.m.383 views

CVE-2025-24964

Vitest CVE-2025-24964 is a remotely exploitable CSWSH (Cross-site WebSocket hijacking) vulnerability in the Vitest API server when api is enabled. The WebSocket server did not validate Origin or enforce authorization, exposing saveTestFile (edits test files) and rerun (executes tests) APIs. An at...

9.6CVSS8.4AI score0.0067EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2025/01/20 3:53 p.m.5 views

CVE-2025-24010 Vite allows any websites to send any requests to the development server and read the response

Vite is a frontend tooling framework for javascript. Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. This vulnerability is fixed in 6.0.9, 5.4.12, and...

6.5CVSS6.2AI score0.00283EPSS
Exploits1References3
CNNVD
CNNVD
added 2025/01/20 12:0 a.m.7 views

Vite 安全漏洞

Vite is a new front-end builder tool open-sourced by Vite. A security vulnerability exists in Vite that stems from default CORS settings and a lack of validation of the Origin header of a WebSocket connection, which allows any website to send any request to the development server and read the...

6.5CVSS7.6AI score0.00283EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2024/09/10 12:0 a.m.8 views

PT-2024-20861 · Unknown · 3Dsecure 2.0

Name of the Vulnerable Software and Affected Versions: 3DSecure 2.0 version 3DS Authorization Method Description: A Cross-Site Request Forgery CSRF issue was identified in the Authorization Method of 3DSecure 2.0, allowing for potential exploitation via modified Origin and Referer HTTP headers...

10CVSS7.5AI score
Exploits1References7
OSV
OSV
added 2024/08/22 5:16 p.m.28 views

GHSA-MCHX-7J67-8MCF Casdoor CORS misconfiguration (GHSL-2024-035)

Casdoor is a UI-first Identity and Access Management IAM / Single-Sign-On SSO platform. In Casdoor 1.577.0 and earlier, a logic vulnerability exists in the beego filter CorsFilter that allows any website to make cross domain requests to Casdoor as the logged in user. Due to the a logic error in...

8.6CVSS8.2AI score0.00748EPSS
Exploits1References4
NVD
NVD
added 2024/08/20 9:15 p.m.16 views

CVE-2024-41657

Casdoor is a UI-first Identity and Access Management IAM / Single-Sign-On SSO platform. In Casdoor 1.577.0 and earlier, a logic vulnerability exists in the beego filter CorsFilter that allows any website to make cross domain requests to Casdoor as the logged in user. Due to the a logic error in...

8.8CVSS0.00748EPSS
Exploits1References2
OSV
OSV
added 2024/08/20 8:11 p.m.14 views

CVE-2024-41657 GHSL-2024-035: Casdoor CORS misconfiguration

Casdoor is a UI-first Identity and Access Management IAM / Single-Sign-On SSO platform. In Casdoor 1.577.0 and earlier, a logic vulnerability exists in the beego filter CorsFilter that allows any website to make cross domain requests to Casdoor as the logged in user. Due to the a logic error in...

8.1CVSS6.7AI score0.00748EPSS
Exploits1References4
BDU FSTEC
BDU FSTEC
added 2024/08/12 12:0 a.m.7 views

The vulnerability of the CORS (Cross-Origin Resource Sharing) mechanism in the exacqVision Web Service web interface of the exacqVision surveillance system allows attackers to circumvent security restrictions and execute cross-origin attacks.

The vulnerability of the CORS Cross-Origin Resource Sharing mechanism in the exacqVision Web Service web interface of the video surveillance system exists due to incorrect processing of the HTTP header “Origin”. Exploiting this vulnerability allows a malicious actor to bypass security restriction...

7.1CVSS5.5AI score0.00431EPSS
Exploits0References7Affected Software1
Positive Technologies
Positive Technologies
added 2024/08/01 12:0 a.m.4 views

PT-2024-5518 · Unknown · Exacqvision Web Service

Name of the Vulnerable Software and Affected Versions: ExacqVision Web Services affected versions not specified Description: The issue is related to the ExacqVision Web Services, which under certain circumstances does not provide sufficient protection from untrusted domains. This is due to...

8.1CVSS6.7AI score0.00431EPSS
Exploits0References10
RedHat Linux
RedHat Linux
added 2024/07/11 12:22 p.m.14 views

httpd: mod_proxy_uwsgi HTTP response splitting

An HTTP Response Smuggling vulnerability was found in the Apache HTTP Server via modproxyuwsgi. This security issue occurs when special characters in the origin response header can truncate or split the response forwarded to the client...

7.5CVSS7.1AI score0.02134EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2024/07/01 12:0 a.m.8 views

PT-2024-26989 · Flowise · Flowise

Name of the Vulnerable Software and Affected Versions: Flowise version 1.4.3 Description: The issue is related to a CORS misconfiguration in Flowise, where the Access-Control-Allow-Origin header is set to allow all origins, enabling arbitrary origins to connect to the website. This could allow...

8.7CVSS7.1AI score0.0596EPSS
Exploits1References8
OSV
OSV
added 2024/03/21 9:31 p.m.6 views

GHSA-3X9G-XFJ5-FQ84 Duplicate Advisory: Cross-Site Request Forgery in Gradio

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-48cq-79qq-6f7x. this link is maintained to preserve external references. Original Description A Cross-Site Request Forgery gives attackers the ability to upload many large files to a victim, if they are running...

4.3CVSS5.7AI score0.00352EPSS
Exploits1References5
Positive Technologies
Positive Technologies
added 2023/12/29 12:0 a.m.10 views

PT-2023-31943 · Unknown · Unified Remote

Name of the Vulnerable Software and Affected Versions: Unified Remote version 3.13.0 Description: The issue allows remote attackers to execute arbitrary Lua code because of a wildcarded Access-Control-Allow-Origin for the "Remote upload endpoint". Recommendations: For Unified Remote version 3.13....

9.8CVSS9.9AI score0.01108EPSS
Exploits1References8
Veracode
Veracode
added 2023/12/12 12:45 p.m.25 views

Missing Origin Validation

uptime-kuma is vulnerable to Missing Origin Validation. The server doesn't validate the Origin header when a user connects to the server using Socket.IO. An attacker can access protected endpoints and sensitive data by exploiting this vulnerability...

8.8CVSS6.7AI score0.00376EPSS
Exploits1References2Affected Software1
Rows per page
Query Builder