CVE-2024-23633

CVE-2024-23633 affects Label Studio (open‑source data labeling tool) prior to version 1.10.1. The issue arises in the remote import feature: when a URL is fetched, the server uses the URL’s filename and returns a file via an API, with the response content type determined by the file’s extension (...

CVE-2024-23633 Label Studio XSS Vulnerability on Data Import

Label Studio, an open source data labeling tool had a remote import feature allowed users to import data from a remote web source, that was downloaded and could be viewed on the website. Prior to version 1.10.1, this feature could had been abused to download a HTML file that executed malicious...

CentOS 7 : thunderbird (RHSA-2023:4495)

The remote CentOS Linux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2023:4495 advisory. - Thunderbird allowed the Text Direction Override Unicode Character in filenames. An email attachment could be incorrectly shown as being a document...

CentOS 7 : firefox (RHSA-2023:4461)

The remote CentOS Linux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2023:4461 advisory. - Offscreen Canvas did not properly track cross-origin tainting, which could have been used to access image data from another site in violation of...

Same-Origin Policy Bypass

@koa/cors is vulnerable to Same-Origin Policy Bypass. The vulnerability exists in the index.js because the middleware operates in a way that if an allowed origin is not provided by default, it will return an Access-Control-Allow-Origin header with the value set to the origin from the request. Thi...

CVE-2023-49803

@koa/cors npm provides Cross-Origin Resource Sharing CORS for koa, a web framework for Node.js. Prior to version 5.0.0, the middleware operates in a way that if an allowed origin is not provided, it will return an Access-Control-Allow-Origin header with the value of the origin from the request...

CVE-2023-49803 @koa/cors has overly permissive origin policy

@koa/cors npm provides Cross-Origin Resource Sharing CORS for koa, a web framework for Node.js. Prior to version 5.0.0, the middleware operates in a way that if an allowed origin is not provided, it will return an Access-Control-Allow-Origin header with the value of the origin from the request...

CVE-2023-49803 @koa/cors has overly permissive origin policy

@koa/cors npm provides Cross-Origin Resource Sharing CORS for koa, a web framework for Node.js. Prior to version 5.0.0, the middleware operates in a way that if an allowed origin is not provided, it will return an Access-Control-Allow-Origin header with the value of the origin from the request...

GHSA-QXRJ-HX23-XP82 Overly permissive origin policy

Currently, the middleware operates in a way that if an allowed origin is not provided, it will return an Access-Control-Allow-Origin header with the value of the origin from the request. This behavior completely disables one of the most crucial elements of browsers - the Same Origin Policy SOP,...

Overly permissive origin policy

Currently, the middleware operates in a way that if an allowed origin is not provided, it will return an Access-Control-Allow-Origin header with the value of the origin from the request. This behavior completely disables one of the most crucial elements of browsers - the Same Origin Policy SOP,...

PT-2023-31361 · Npm · @Koa/Cors

Name of the Vulnerable Software and Affected Versions: @koa/cors versions prior to 5.0.0 Description: The @koa/cors middleware for the koa web framework in Node.js has a security issue where it returns an Access-Control-Allow-Origin header with the value of the origin from the request if an allow...

Oracle Linux 9 : webkit2gtk3 (ELSA-2023-6535)

The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2023-6535 advisory. 2.40.5-1 - Update to 2.40.5 Related: 2176270 2.40.4-1 - Update to 2.40.4 Related: 2176270 2.40.3-2 - Disable JIT Related: 2176270 2.40.3-1 - Update to...

Important: Red Hat Security Advisory: webkit2gtk3 security, bug fix, and enhancement update

An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability fr...

webkitgtk: Same Origin Policy bypass via crafted web content

A vulnerability was found in WebKitGTK. This security issue occurs when processing maliciously crafted web content that may bypass the same-origin Policy...

webkitgtk: bypass Same Origin Policy

A flaw was found in WebKitGTK. This flaw exists due to an error when handling the Same Origin Policy. A remote attacker can bypass Same Origin Policy restrictions...

ALSA-2023:7055 Important: webkit2gtk3 security and bug fix update

WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Security Fixes: webkitgtk: arbitrary code execution CVE-2023-32393 webkitgtk: bypass Same Origin Policy CVE-2023-38572 webkitgtk: Processing web content may lead to arbitrary code execution CVE-2023-38592...

CentOS 8 : webkit2gtk3 (CESA-2023:7055)

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2023:7055 advisory. - A memory corruption issue was addressed with improved validation. This issue is fixed in iOS 15.6 and iPadOS 15.6, macOS Monterey 12.5, Safari 15.6...

Important: webkit2gtk3 security and bug fix update

WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Security Fixes: webkitgtk: arbitrary code execution CVE-2023-32393 webkitgtk: bypass Same Origin Policy CVE-2023-38572 webkitgtk: Processing web content may lead to arbitrary code execution CVE-2023-38592...

X (Formerly Twitter): Cross-Domain Leakage of X Username / UserID due to Dynamically Generated JS File

The vulnerability allowed the retrieval of a user's X username and user ID from a dynamically generated JavaScript file hosted on Twitter. An attacker could force a victim to import the file from a malicious website, bypassing the Same-Origin Policy and exposing the user's sensitive information...

Important: Red Hat Security Advisory: webkit2gtk3 security, bug fix, and enhancement update

An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability fr...