Total
51 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-4839 | 1 Itwanger | 1 Paicoding | 2025-06-04 | 2.6 LOW | 3.1 LOW |
| A vulnerability has been found in itwanger paicoding 1.0.0/1.0.1/1.0.2/1.0.3 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /paicoding-core/src/main/java/com/github/paicoding/forum/core/util/CrossUtil.java. The manipulation leads to permissive cross-domain policy with untrusted domains. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-37131 | 1 Dell | 1 Policy Manager For Secure Connect Gateway | 2025-05-20 | N/A | 7.5 HIGH |
| SCG Policy Manager, all versions, contains an overly permissive Cross-Origin Resource Policy (CORP) vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to the execution of malicious actions on the application in the context of the authenticated user. | |||||
| CVE-2025-25234 | 1 Omnissa | 1 Unified Access Gateway | 2025-04-21 | N/A | 7.1 HIGH |
| Omnissa UAG contains a Cross-Origin Resource Sharing (CORS) bypass vulnerability. A malicious actor with network access to UAG may be able to bypass administrator-configured CORS restrictions to gain access to sensitive networks. | |||||
| CVE-2022-31736 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2025-04-15 | N/A | 9.8 CRITICAL |
| A malicious website could have learned the size of a cross-origin resource that supported Range requests. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10. | |||||
| CVE-2022-26969 | 1 Monospace | 1 Directus | 2025-04-14 | N/A | 9.8 CRITICAL |
| In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true. | |||||
| CVE-2024-11071 | 2025-04-07 | N/A | 8.8 HIGH | ||
| Permissive Cross-domain Policy with Untrusted Domains vulnerability in local API server of DestinyECM solution(versions described below) which is developed and maintained by Cyberdigm may allow Cross-Site Request Forgery (CSRF) attack, which probabilistically enables JSON Hijacking (aka JavaScript Hijacking) via forgery web page.* Due to product customization, version information may differ from the following version description. For further inquiries, please contact the vendor. | |||||
| CVE-2023-23128 | 1 Connectwise | 1 Connectwise | 2025-03-27 | N/A | 6.1 MEDIUM |
| Connectwise Control 22.8.10013.8329 is vulnerable to Cross Origin Resource Sharing (CORS). The vendor's position is that two endpoints have Access-Control-Allow-Origin wildcarding to support product functionality, and that there is no risk from this behavior. The vulnerability report is thus not valid. | |||||
| CVE-2022-47717 | 1 Lastyard | 1 Last Yard | 2025-03-27 | N/A | 7.5 HIGH |
| Last Yard 22.09.8-1 is vulnerable to Cross-origin resource sharing (CORS). | |||||
| CVE-2023-23464 | 1 Mediacp | 1 Media Control Panel | 2025-03-19 | N/A | 8.1 HIGH |
| Media CP Media Control Panel latest version. A Permissive Flash Cross-domain Policy may allow information disclosure. | |||||
| CVE-2023-38122 | 1 Inductiveautomation | 1 Ignition | 2025-03-12 | N/A | 7.2 HIGH |
| Inductive Automation Ignition OPC UA Quick Client Permissive Cross-domain Policy Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the configuration of the web server. The issue results from the lack of appropriate Content Security Policy headers. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of SYSTEM. Was ZDI-CAN-20539. | |||||
| CVE-2024-53276 | 2025-02-18 | N/A | N/A | ||
| Home-Gallery.org is a self-hosted open-source web gallery to browse personal photos and videos. In 1.15.0 and earlier, an open CORS policy in app.js may allow an attacker to view the images of home-gallery when it is using the default settings. The following express middleware allows any website to make a cross site request to home-gallery, thus allowing them to read any endpoint on home-gallery. Home-gallery is mostly safe from cross-site requests due to most of its pages requiring JavaScript, and cross-site requests such as fetch() do not render javascript. If an attacker is able to get the path of the preview images which are randomized, an attacker will be able to view such a photo. If any static files or endpoints are introduced in the future that contain sensitive information, they will be accessible to an attacker website. | |||||
| CVE-2024-25124 | 1 Gofiber | 1 Fiber | 2025-02-05 | N/A | 9.4 CRITICAL |
| Fiber is a web framework written in go. Prior to version 2.52.1, the CORS middleware allows for insecure configurations that could potentially expose the application to multiple CORS-related vulnerabilities. Specifically, it allows setting the Access-Control-Allow-Origin header to a wildcard (`*`) while also having the Access-Control-Allow-Credentials set to true, which goes against recommended security best practices. The impact of this misconfiguration is high as it can lead to unauthorized access to sensitive user data and expose the system to various types of attacks listed in the PortSwigger article linked in the references. Version 2.52.1 contains a patch for this issue. As a workaround, users may manually validate the CORS configurations in their implementation to ensure that they do not allow a wildcard origin when credentials are enabled. The browser fetch api, as well as browsers and utilities that enforce CORS policies, are not affected by this. | |||||
| CVE-2024-49763 | 2024-12-02 | N/A | N/A | ||
| PlexRipper is a cross-platform media downloader for Plex. PlexRipper’s open CORS policy allows attackers to gain sensitive information from PlexRipper by getting the user to access the attacker’s domain. This allows an attacking website to access the /api/PlexAccount endpoint and steal the user’s Plex login. This vulnerability is fixed in 0.24.0. | |||||
| CVE-2024-21382 | 2 Google, Microsoft | 2 Android, Edge Chromium | 2024-11-21 | N/A | 4.3 MEDIUM |
| Microsoft Edge for Android Information Disclosure Vulnerability | |||||
| CVE-2023-50940 | 1 Ibm | 1 Powersc | 2024-11-21 | N/A | 5.3 MEDIUM |
| IBM PowerSC 1.3, 2.0, and 2.1 uses Cross-Origin Resource Sharing (CORS) which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not being limited to only trusted domains. IBM X-Force ID: 275130. | |||||
| CVE-2023-46281 | 1 Siemens | 4 Opcenter Quality, Simatic Pcs Neo, Sinumerik Integrate Runmyhmi \/automotive and 1 more | 2024-11-21 | N/A | 7.1 HIGH |
| A vulnerability has been identified in Opcenter Execution Foundation (All versions < V2407), Opcenter Quality (All versions < V2312), SIMATIC PCS neo (All versions < V4.1), SINEC NMS (All versions < V2.0 SP1), Totally Integrated Automation Portal (TIA Portal) V14 (All versions), Totally Integrated Automation Portal (TIA Portal) V15.1 (All versions), Totally Integrated Automation Portal (TIA Portal) V16 (All versions), Totally Integrated Automation Portal (TIA Portal) V17 (All versions < V17 Update 8), Totally Integrated Automation Portal (TIA Portal) V18 (All versions < V18 Update 3). When accessing the UMC Web-UI from affected products, UMC uses an overly permissive CORS policy. This could allow an attacker to trick a legitimate user to trigger unwanted behavior. | |||||
| CVE-2023-46098 | 1 Siemens | 1 Simatic Pcs Neo | 2024-11-21 | N/A | 8.0 HIGH |
| A vulnerability has been identified in SIMATIC PCS neo (All versions < V4.1). When accessing the Information Server from affected products, the products use an overly permissive CORS policy. This could allow an attacker to trick a legitimate user to trigger unwanted behavior. | |||||
| CVE-2023-45213 | 1 Westermo | 2 L206-f2g, L206-f2g Firmware | 2024-11-21 | N/A | 6.6 MEDIUM |
| A potential attacker with access to the Westermo Lynx device would be able to execute malicious code that could affect the correct functioning of the device. | |||||
| CVE-2023-37526 | 2024-11-21 | N/A | 6.5 MEDIUM | ||
| HCL DRYiCE Lucy (now AEX) is affected by a Cross Origin Resource Sharing (CORS) vulnerability. The mobile app is vulnerable to a CORS misconfiguration which could potentially allow unauthorized access to the application resources from any web domain and enable cache poisoning attacks. | |||||
| CVE-2023-36829 | 1 Functional | 1 Sentry | 2024-11-21 | N/A | 6.8 MEDIUM |
| Sentry is an error tracking and performance monitoring platform. Starting in version 23.6.0 and prior to version 23.6.2, the Sentry API incorrectly returns the `access-control-allow-credentials: true` HTTP header if the `Origin` request header ends with the `system.base-hostname` option of Sentry installation. This only affects installations that have `system.base-hostname` option explicitly set, as it is empty by default. Impact is limited since recent versions of major browsers have cross-site cookie blocking enabled by default. However, this flaw could allow other multi-step attacks. The patch has been released in Sentry 23.6.2. | |||||