CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

OSV•added 2025/01/30 7:13 p.m.•8 views

BIT-GOLANG-2024-45336 Sensitive headers incorrectly sent after cross-domain redirect in net/http

The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain redirect, however,...

Veracode•added 2025/01/30 3:49 a.m.•6 views

Exploits0References7

Script Injection

Nuxt is vulnerable to Script injection. The vulnerability is due to the lack of same-origin policy enforcement for script requests, allows attackers to inject malicious scripts into a victim's site via a script tag, bypassing security measures intended to prevent such cross-origin interactions...

5.3CVSS6.9AI score0.00253EPSS

Exploits0References2Affected Software3

Debian CVE•added 2025/01/29 12:0 a.m.•9 views

CVE-2024-57965

In axios before 1.7.8, lib/helpers/isURLSameOrigin.js does not use a URL object when determining an origin, and has a potentially unwanted setAttribute'href',href call. NOTE: some parties feel that the code change only addresses a warning message from a SAST tool and does not fix a vulnerability...

9.8CVSS7.3AI score0.00088EPSS

Exploits0

OSV•added 2025/01/28 2:15 a.m.•1 views

AZL-78950 CVE-2024-45336 affecting package golang 1.25.7-1

OSV•added 2025/01/28 2:15 a.m.•3 views

AZL-56005 CVE-2024-45336 affecting package golang for versions less than 1.23.7-1

CVE•added 2025/01/28 1:3 a.m.•325 views

CVE-2024-45336

CVE-2024-45336 affects the Go net/http client. When following redirects, sensitive headers (e.g., Authorization) may be dropped after cross-domain redirects but could be restored on subsequent same-domain redirects, potentially sending headers to a final host in a redirect chain (e.g., a.com -&gt...

6.1CVSS6.6AI score0.00142EPSS

Exploits0References6

OSV•added 2025/01/28 12:47 a.m.•6 views

GO-2025-3420 Sensitive headers incorrectly sent after cross-domain redirect in net/http

Vulnrichment•added 2025/01/25 12:53 a.m.•10 views

Exploits0References4

CVE-2025-24361 Opening a malicious website while running a Nuxt dev server could allow read-only access to code

Nuxt is an open-source web development framework for Vue.js. Source code may be stolen during dev when using version 3.0.0 through 3.15.12 of the webpack builder or version 3.12.2 through 3.152 of the rspack builder and a victim opens a malicious web site. Because the request for classic script b...

5.3CVSS5.3AI score0.00253EPSS

Positive Technologies•added 2025/01/21 12:0 a.m.•4 views

PT-2025-2984

Name of the Vulnerable Software and Affected Versions CodeChecker versions through 6.24.4 Description Cross-site request forgery allows an unauthenticated attacker to hijack the authentication of a logged-in user and use the web API with the same permissions, including adding, removing, or editin...

8.2CVSS6.5AI score0.00243EPSS

Exploits1References11

SUSE CVE•added 2025/01/20 3:52 a.m.•0 views

SUSE CVE-2024-45336

5.9CVSS8.1AI score0.00142EPSS

Exploits0References17

Snyk•added 2025/01/17 4:29 p.m.•1 views

Improper Restriction of Rendered UI Layers or Frames

Overview nbgrader is an A system for assigning and grading notebooks Affected versions of this package are vulnerable to Improper Restriction of Rendered UI Layers or Frames due to the improper configuration of the frame-ancestors directive. An attacker can extract sensitive content by crafting...

8.6CVSS7AI score0.00376EPSS

CNNVD•added 2025/01/15 12:0 a.m.•2 views

Sentry 授权问题漏洞

Sentry is a developer-oriented bug tracking and performance monitoring platform from Sentry Open Source. An authorization issue vulnerability exists in versions of Sentry prior to 25.1.0 that stems from allowing an attacker to take over any user account by using a malicious SAML identity provider...

9.1CVSS6.4AI score0.0054EPSS

OSV•added 2025/01/14 7:19 p.m.•13 views

BIT-PHP-MIN-2024-2756 __Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix

Due to an incomplete fix to CVE-2022-31629 https://github.com/advisories/GHSA-c43m-486j-j32p , network and same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a Host- or Secure- cookie by PHP applications...

6.5CVSS7.3AI score0.08698EPSS

Exploits0References7

Snyk•added 2025/01/14 3:42 p.m.•1 views

Exposed Dangerous Method or Function

Overview typo3/cms-lowlevel is an Enables the 'Config' and 'DB Check' modules for technical analysis of the system. This includes raw database search, checking relations, counting pages and records etc. Affected versions of this package are vulnerable to Exposed Dangerous Method or Function via t...

6.5CVSS6.9AI score0.00309EPSS

Snyk•added 2025/01/14 3:42 p.m.•1 views

Cross-site Request Forgery (CSRF)

Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the backend user interface functionality involving deep links. An attacker can manipulate the state-changing actions and trigger unauthorized commands by deceiving a victim into interacting with a...

8.5CVSS7.1AI score0.00955EPSS

Snyk•added 2025/01/14 3:40 p.m.•3 views

Cross-site Request Forgery (CSRF)

Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the backend user interface functionality involving deep links. An attacker can manipulate the session and perform unauthorized actions. Note: This is only exploitable if the...

8.8CVSS7AI score0.0388EPSS