Vulnerabilities (CVE)

Filtered by CWE-346
Total 359 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2017-5593 1 Psi-plus 1 Psi\+ 2025-04-20 4.3 MEDIUM 5.9 MEDIUM
An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for Psi+ (0.16.563.580 - 0.16.571.627).
CVE-2017-8793 1 Accellion 1 File Transfer Appliance 2025-04-20 6.8 MEDIUM 8.8 HIGH
An issue was discovered on Accellion FTA devices before FTA_9_12_180. By sending a POST request to home/seos/courier/web/wmProgressstat.html.php with an attacker domain in the acallow parameter, the device will respond with an Access-Control-Allow-Origin header allowing the attacker to have site access with a bypass of the Same Origin Policy.
CVE-2017-5858 1 Conversejs 1 Converse.js 2025-04-20 4.3 MEDIUM 5.9 MEDIUM
An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for Converse.js (0.8.0 - 1.0.6, 2.0.0 - 2.0.4).
CVE-2017-7667 1 Apache 1 Nifi 2025-04-20 5.0 MEDIUM 7.5 HIGH
Apache NiFi before 0.7.4 and 1.x before 1.3.0 need to establish the response header telling browsers to only allow framing with the same origin.
CVE-2017-5592 1 Profanity Project 1 Profanity 2025-04-20 4.3 MEDIUM 5.9 MEDIUM
An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for profanity (0.4.7 - 0.5.0).
CVE-2025-3651 2025-04-17 N/A N/A
Improper Verification of Source of a Communication Channel in Work Desktop for Mac versions 10.8.1.46 and earlier allows attackers to execute arbitrary commands via unauthorized access to the Agent service.  This has been remediated in Work Desktop for Mac version 10.8.2.33.
CVE-2022-1747 1 Dominionvoting 2 Democracy Suite, Imagecast X 2025-04-17 2.1 LOW 4.6 MEDIUM
The authentication mechanism used by voters to activate a voting session on the tested version of Dominion Voting Systems ImageCast X is susceptible to forgery. An attacker could leverage this vulnerability to print an arbitrary number of ballots without authorization.
CVE-2022-1520 1 Mozilla 1 Thunderbird 2025-04-16 N/A 4.3 MEDIUM
When viewing an email message A, which contains an attached message B, where B is encrypted or digitally signed or both, Thunderbird may show an incorrect encryption or signature status. After opening and viewing the attached message B, when returning to the display of message A, the message A might be shown with the security status of message B. This vulnerability affects Thunderbird < 91.9.
CVE-2022-22757 1 Mozilla 1 Firefox 2025-04-16 N/A 6.5 MEDIUM
Remote Agent, used in WebDriver, did not validate the Host or Origin headers. This could have allowed websites to connect back locally to the user's browser to control it. <br>*This bug only affected Firefox when WebDriver was enabled, which is not the default configuration.*. This vulnerability affects Firefox < 97.
CVE-2022-38472 1 Mozilla 2 Firefox, Thunderbird 2025-04-15 N/A 6.5 MEDIUM
An attacker could have abused XSLT error handling to associate attacker-controlled content with another origin which was displayed in the address bar. This could have been used to fool the user into submitting data intended for the spoofed origin. This vulnerability affects Thunderbird < 102.2, Thunderbird < 91.13, Firefox ESR < 91.13, Firefox ESR < 102.2, and Firefox < 104.
CVE-2022-42927 1 Mozilla 3 Firefox, Firefox Esr, Thunderbird 2025-04-15 N/A 8.1 HIGH
A same-origin policy violation could have allowed the theft of cross-origin URL entries, leaking the result of a redirect, via `performance.getEntries()`. This vulnerability affects Firefox < 106, Firefox ESR < 102.4, and Thunderbird < 102.4.
CVE-2022-29915 1 Mozilla 1 Firefox 2025-04-15 N/A 4.3 MEDIUM
The Performance API did not properly hide the fact whether a request cross-origin resource has observed redirects. This vulnerability affects Firefox < 100.
CVE-2014-1502 5 Mozilla, Opensuse, Opensuse Project and 2 more 8 Firefox, Seamonkey, Opensuse and 5 more 2025-04-12 6.8 MEDIUM N/A
The (1) WebGL.compressedTexImage2D and (2) WebGL.compressedTexSubImage2D functions in Mozilla Firefox before 28.0 and SeaMonkey before 2.25 allow remote attackers to bypass the Same Origin Policy and render content in a different domain via unspecified vectors.
CVE-2017-20146 1 Gorillatoolkit 1 Handlers 2025-04-11 N/A 9.8 CRITICAL
Usage of the CORS handler may apply improper CORS headers, allowing the requester to explicitly control the value of the Access-Control-Allow-Origin header, which bypasses the expected behavior of the Same Origin Policy.
CVE-2011-3956 1 Google 1 Chrome 2025-04-11 6.8 MEDIUM N/A
The extension implementation in Google Chrome before 17.0.963.46 does not properly handle sandboxed origins, which might allow remote attackers to bypass the Same Origin Policy via a crafted extension.
CVE-2011-3072 1 Google 1 Chrome 2025-04-11 6.8 MEDIUM N/A
Google Chrome before 18.0.1025.151 allows remote attackers to bypass the Same Origin Policy via vectors related to pop-up windows.
CVE-2012-4193 4 Canonical, Mozilla, Redhat and 1 more 12 Ubuntu Linux, Firefox, Seamonkey and 9 more 2025-04-11 6.8 MEDIUM N/A
Mozilla Firefox before 16.0.1, Firefox ESR 10.x before 10.0.9, Thunderbird before 16.0.1, Thunderbird ESR 10.x before 10.0.9, and SeaMonkey before 2.13.1 omit a security check in the defaultValue function during the unwrapping of security wrappers, which allows remote attackers to bypass the Same Origin Policy and read the properties of a Location object, or execute arbitrary JavaScript code, via a crafted web site.
CVE-2014-1487 7 Canonical, Debian, Fedoraproject and 4 more 18 Ubuntu Linux, Debian Linux, Fedora and 15 more 2025-04-11 5.0 MEDIUM 7.5 HIGH
The Web workers implementation in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 allows remote attackers to bypass the Same Origin Policy and obtain sensitive authentication information via vectors involving error messages.
CVE-2011-2856 1 Google 1 Chrome 2025-04-11 7.5 HIGH N/A
Google V8, as used in Google Chrome before 14.0.835.163, allows remote attackers to bypass the Same Origin Policy via unspecified vectors.
CVE-2011-3067 2 Apple, Google 3 Iphone Os, Safari, Chrome 2025-04-11 6.8 MEDIUM N/A
Google Chrome before 18.0.1025.151 allows remote attackers to bypass the Same Origin Policy via vectors related to replacement of IFRAME elements.