Total
43 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-6449 | 1 Hyperview | 1 Geoportal Toolkit | 2024-09-12 | N/A | 6.5 MEDIUM |
| HyperView Geoportal Toolkit in versions lower than 8.5.0 does not restrict cross-domain requests when fetching remote content pointed by one of GET request parameters. An unauthenticated remote attacker can prepare links, which upon opening will load scripts from a remote location controlled by the attacker and execute them in the user space. By manipulating this parameter it is also possible to enumerate some of the devices in Local Area Network in which the server resides. | |||||
| CVE-2024-41657 | 1 Casbin | 1 Casdoor | 2024-08-28 | N/A | 8.1 HIGH |
| Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. In Casdoor 1.577.0 and earlier, a logic vulnerability exists in the beego filter CorsFilter that allows any website to make cross domain requests to Casdoor as the logged in user. Due to the a logic error in checking only for a prefix when authenticating the Origin header, any domain can create a valid subdomain with a valid subdomain prefix (Ex: localhost.example.com), allowing the website to make requests to Casdoor as the current signed-in user. | |||||
| CVE-2024-32862 | 1 Johnsoncontrols | 1 Exacqvision Web Service | 2024-08-09 | N/A | 6.8 MEDIUM |
| Under certain circumstances the ExacqVision Web Services does not provide sufficient protection from untrusted domains. | |||||