CWE-942
AllowedPermissive Cross-domain Security Policy with Untrusted Domains
Abstraction: Variant · Status: Incomplete
The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate.
178 vulnerabilities reference this CWE, most recent first.
GHSA-3RG4-QGV3-4987
Vulnerability from github – Published: 2024-01-26 03:30 – Updated: 2024-01-26 03:30Microsoft Edge for Android Information Disclosure Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-21382"
],
"database_specific": {
"cwe_ids": [
"CWE-942"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-26T01:15:10Z",
"severity": "MODERATE"
},
"details": "Microsoft Edge for Android Information Disclosure Vulnerability",
"id": "GHSA-3rg4-qgv3-4987",
"modified": "2024-01-26T03:30:19Z",
"published": "2024-01-26T03:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21382"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21382"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3VCP-CHFH-F6R2
Vulnerability from github – Published: 2026-05-14 20:15 – Updated: 2026-06-09 10:19Summary
Default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is reachable from their browser. CorsAllowedDomains: [".*"] reflects any Origin, and LocalhostIsAdmin: true promotes requests from 127.0.0.1 to mesh-system:admin. A cross-origin fetch() from a malicious page returns the admin JWT and signing material.
Am I affected?
You are affected if all of these hold:
kuma-cpruns with default config (CorsAllowedDomains: [".*"]andLocalhostIsAdmin: true).- The control plane is reachable from a browser on the same machine:
kuma-cp runon a developer laptop- Docker
--network hostor port-publish on a workstation kubectl port-forwardfrom a machine that also browses the web- The operator visits a page running attacker JavaScript while the control plane is reachable.
You are not affected if:
- The control plane runs on a Kubernetes cluster accessed via ClusterIP, NodePort, or LoadBalancer from a remote client.
- The control plane runs on an SSH-administered VM with no browser on the host.
KUMA_API_SERVER_AUTHN_LOCALHOST_IS_ADMIN=falseis set (see https://kuma.io/docs/latest/production/secure-deployment/api-server-auth/).KUMA_API_SERVER_CORS_ALLOWED_DOMAINSis set to an explicit allowlist that excludes attacker origins.
Mitigation
- Set
KUMA_API_SERVER_AUTHN_LOCALHOST_IS_ADMIN=falseafter retrieving the admin token. - Set
KUMA_API_SERVER_CORS_ALLOWED_DOMAINSto an explicit allowlist, for examplehttp://localhost:5681,http://127.0.0.1:5681. - Do not run
kuma-cpon a machine where you browse untrusted sites.
Fix
Fixed in #16416, backported to all supported release branches (#16423, #16424, #16425, #16426, #16427).
Changes in patched versions:
CorsAllowedDomainsdefault changed from[".*"]to[]— CORS is now opt-in; set the env var explicitly if you need GUI access.LocalhostIsAdminhardened: now requires direct loopbackRemoteAddrandHost, and rejects requests carrying proxy-hop headers (X-Forwarded-For), cross-site fetch metadata (Sec-Fetch-Site), or a non-localhostOrigin.
Upgrade to a patched version:
- 2.7.25
- 2.9.15
- 2.11.13
- 2.12.10
- 2.13.5
Credits
Reported by eldudareeno.
CVSS
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N = 5.1 Medium.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/kumahq/kuma"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.7.25"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/kumahq/kuma"
},
"ranges": [
{
"events": [
{
"introduced": "2.9.0"
},
{
"fixed": "2.9.15"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/kumahq/kuma"
},
"ranges": [
{
"events": [
{
"introduced": "2.11.0"
},
{
"fixed": "2.11.13"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/kumahq/kuma"
},
"ranges": [
{
"events": [
{
"introduced": "2.12.0"
},
{
"fixed": "2.12.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/kumahq/kuma"
},
"ranges": [
{
"events": [
{
"introduced": "2.13.0"
},
{
"fixed": "2.13.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45021"
],
"database_specific": {
"cwe_ids": [
"CWE-346",
"CWE-942"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-14T20:15:08Z",
"nvd_published_at": "2026-05-28T18:16:34Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nDefault `kuma-cp` config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is reachable from their browser. `CorsAllowedDomains: [\".*\"]` reflects any `Origin`, and `LocalhostIsAdmin: true` promotes requests from `127.0.0.1` to `mesh-system:admin`. A cross-origin `fetch()` from a malicious page returns the admin JWT and signing material.\n\n## Am I affected?\n\nYou are affected if all of these hold:\n\n1. `kuma-cp` runs with default config (`CorsAllowedDomains: [\".*\"]` and `LocalhostIsAdmin: true`).\n2. The control plane is reachable from a browser on the same machine:\n - `kuma-cp run` on a developer laptop\n - Docker `--network host` or port-publish on a workstation\n - `kubectl port-forward` from a machine that also browses the web\n3. The operator visits a page running attacker JavaScript while the control plane is reachable.\n\nYou are not affected if:\n\n- The control plane runs on a Kubernetes cluster accessed via ClusterIP, NodePort, or LoadBalancer from a remote client.\n- The control plane runs on an SSH-administered VM with no browser on the host.\n- `KUMA_API_SERVER_AUTHN_LOCALHOST_IS_ADMIN=false` is set (see https://kuma.io/docs/latest/production/secure-deployment/api-server-auth/).\n- `KUMA_API_SERVER_CORS_ALLOWED_DOMAINS` is set to an explicit allowlist that excludes attacker origins.\n\n## Mitigation\n\n1. Set `KUMA_API_SERVER_AUTHN_LOCALHOST_IS_ADMIN=false` after retrieving the admin token.\n2. Set `KUMA_API_SERVER_CORS_ALLOWED_DOMAINS` to an explicit allowlist, for example `http://localhost:5681,http://127.0.0.1:5681`.\n3. Do not run `kuma-cp` on a machine where you browse untrusted sites.\n\n## Fix\n\nFixed in [#16416](https://github.com/kumahq/kuma/pull/16416), backported to all supported release branches ([#16423](https://github.com/kumahq/kuma/pull/16423), [#16424](https://github.com/kumahq/kuma/pull/16424), [#16425](https://github.com/kumahq/kuma/pull/16425), [#16426](https://github.com/kumahq/kuma/pull/16426), [#16427](https://github.com/kumahq/kuma/pull/16427)).\n\nChanges in patched versions:\n\n- `CorsAllowedDomains` default changed from `[\".*\"]` to `[]` \u2014 CORS is now opt-in; set the env var explicitly if you need GUI access.\n- `LocalhostIsAdmin` hardened: now requires direct loopback `RemoteAddr` and `Host`, and rejects requests carrying proxy-hop headers (`X-Forwarded-For`), cross-site fetch metadata (`Sec-Fetch-Site`), or a non-localhost `Origin`.\n\nUpgrade to a patched version:\n\n- 2.7.25\n- 2.9.15\n- 2.11.13\n- 2.12.10\n- 2.13.5\n\n## Credits\n\nReported by `eldudareeno`.\n\n## CVSS\n\n`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N` = 5.1 Medium.",
"id": "GHSA-3vcp-chfh-f6r2",
"modified": "2026-06-09T10:19:22Z",
"published": "2026-05-14T20:15:08Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/kumahq/kuma/security/advisories/GHSA-3vcp-chfh-f6r2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45021"
},
{
"type": "WEB",
"url": "https://github.com/kumahq/kuma/pull/16416"
},
{
"type": "WEB",
"url": "https://github.com/kumahq/kuma/pull/16423"
},
{
"type": "WEB",
"url": "https://github.com/kumahq/kuma/pull/16424"
},
{
"type": "WEB",
"url": "https://github.com/kumahq/kuma/pull/16425"
},
{
"type": "WEB",
"url": "https://github.com/kumahq/kuma/pull/16426"
},
{
"type": "WEB",
"url": "https://github.com/kumahq/kuma/pull/16427"
},
{
"type": "WEB",
"url": "https://github.com/kumahq/kuma/commit/8fefa8595d44eb68d922405702ed7a0826322907"
},
{
"type": "PACKAGE",
"url": "https://github.com/kumahq/kuma"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Default kuma-cp leaks admin token cross-origin via CORS wildcard + LocalhostIsAdmin"
}
GHSA-3X46-395M-V3QC
Vulnerability from github – Published: 2023-04-28 12:30 – Updated: 2023-04-28 12:30Sensitive information disclosure due to CORS misconfiguration. The following products are affected: Acronis Cyber Infrastructure (ACI) before build 5.2.0-135.
{
"affected": [],
"aliases": [
"CVE-2023-2360"
],
"database_specific": {
"cwe_ids": [
"CWE-942"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-28T12:15:09Z",
"severity": "LOW"
},
"details": "Sensitive information disclosure due to CORS misconfiguration. The following products are affected: Acronis Cyber Infrastructure (ACI) before build 5.2.0-135.",
"id": "GHSA-3x46-395m-v3qc",
"modified": "2023-04-28T12:30:15Z",
"published": "2023-04-28T12:30:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2360"
},
{
"type": "WEB",
"url": "https://security-advisory.acronis.com/advisories/SEC-4215"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4765-J7W9-P387
Vulnerability from github – Published: 2022-12-22 21:30 – Updated: 2025-04-15 15:30A malicious website could have learned the size of a cross-origin resource that supported Range requests. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10.
{
"affected": [],
"aliases": [
"CVE-2022-31736"
],
"database_specific": {
"cwe_ids": [
"CWE-942"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-22T20:15:00Z",
"severity": "CRITICAL"
},
"details": "A malicious website could have learned the size of a cross-origin resource that supported Range requests. This vulnerability affects Thunderbird \u003c 91.10, Firefox \u003c 101, and Firefox ESR \u003c 91.10.",
"id": "GHSA-4765-j7w9-p387",
"modified": "2025-04-15T15:30:35Z",
"published": "2022-12-22T21:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31736"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1735923"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-20"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-21"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-22"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4946-85PR-FVXH
Vulnerability from github – Published: 2024-03-15 16:42 – Updated: 2024-03-15 16:42Impact
The vantage6 server has no restrictions on CORS settings. It should be possible for people to set the allowed origins of the server.
The impact is limited because v6 does not use session cookies
Patches
No
Workarounds
No
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.2.2"
},
"package": {
"ecosystem": "PyPI",
"name": "vantage6"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-23823"
],
"database_specific": {
"cwe_ids": [
"CWE-863",
"CWE-942"
],
"github_reviewed": true,
"github_reviewed_at": "2024-03-15T16:42:55Z",
"nvd_published_at": "2024-03-14T19:15:49Z",
"severity": "MODERATE"
},
"details": "### Impact\nThe vantage6 server has no restrictions on CORS settings. It should be possible for people to set the allowed origins of the server. \n\nThe impact is limited because v6 does not use session cookies\n\n### Patches\nNo\n\n### Workarounds\nNo",
"id": "GHSA-4946-85pr-fvxh",
"modified": "2024-03-15T16:42:55Z",
"published": "2024-03-15T16:42:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vantage6/vantage6/security/advisories/GHSA-4946-85pr-fvxh"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23823"
},
{
"type": "WEB",
"url": "https://github.com/vantage6/vantage6/commit/70bb4e1d889230a841eb364d6c03accd7dd01a41"
},
{
"type": "PACKAGE",
"url": "https://github.com/vantage6/vantage6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "vantage6\u0027s CORS settings overly permissive"
}
GHSA-4CQ7-5C7C-CC5R
Vulnerability from github – Published: 2026-06-29 18:31 – Updated: 2026-06-29 18:31Papermark through 0.22.0 contains a cross-origin resource sharing (CORS) misconfiguration vulnerability that allows unauthenticated remote attackers to perform credentialed cross-origin requests by exploiting the TUS-based viewer upload endpoint reflecting arbitrary request Origins with Access-Control-Allow-Credentials set to true. Attackers can lure authenticated victims to malicious pages that silently issue credentialed cross-origin requests to upload arbitrary files into victim datarooms and read credentialed responses.
{
"affected": [],
"aliases": [
"CVE-2026-57957"
],
"database_specific": {
"cwe_ids": [
"CWE-942"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-29T18:16:41Z",
"severity": "LOW"
},
"details": "Papermark through 0.22.0 contains a cross-origin resource sharing (CORS) misconfiguration vulnerability that allows unauthenticated remote attackers to perform credentialed cross-origin requests by exploiting the TUS-based viewer upload endpoint reflecting arbitrary request Origins with Access-Control-Allow-Credentials set to true. Attackers can lure authenticated victims to malicious pages that silently issue credentialed cross-origin requests to upload arbitrary files into victim datarooms and read credentialed responses.",
"id": "GHSA-4cq7-5c7c-cc5r",
"modified": "2026-06-29T18:31:56Z",
"published": "2026-06-29T18:31:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-57957"
},
{
"type": "WEB",
"url": "https://github.com/papermark/papermark/issues/2178"
},
{
"type": "WEB",
"url": "https://github.com/AstoKr/papermark/pull/1"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/papermark-cors-misconfiguration-in-viewer-upload-endpoint"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-4XQM-4P72-87H6
Vulnerability from github – Published: 2023-07-06 22:55 – Updated: 2023-07-06 22:55Impact
The Sentry API incorrectly returns the access-control-allow-credentials: true HTTP header if the Origin request header ends with the system.base-hostname option of Sentry installation. This only affects installations that have system.base-hostname option explicitly set, as it is empty by default.
Impact is limited since recent versions of major browsers have cross-site cookie blocking enabled by default. However, this flaw could allow other multi-step attacks.
Patches
The patch has been released in Sentry 23.6.2.
Workarounds
For Sentry SaaS customers, no action is needed.
For self-hosted Sentry installations that have system.base-hostname explicitly set, it is recommended to upgrade the installation to 23.6.2 or higher. There are no known workarounds.
References
Credits
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "sentry"
},
"ranges": [
{
"events": [
{
"introduced": "23.6.0"
},
{
"fixed": "23.6.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-36829"
],
"database_specific": {
"cwe_ids": [
"CWE-697",
"CWE-863",
"CWE-942"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-06T22:55:44Z",
"nvd_published_at": "2023-07-06T23:15:09Z",
"severity": "MODERATE"
},
"details": "### Impact\nThe Sentry API incorrectly returns the `access-control-allow-credentials: true` HTTP header if the `Origin` request header ends with the `system.base-hostname` option of Sentry installation. This only affects installations that have `system.base-hostname` option explicitly set, as it is empty by default.\n\nImpact is limited since recent versions of major browsers have cross-site cookie blocking enabled by default. However, this flaw could allow other multi-step attacks.\n\n### Patches\nThe patch has been released in [Sentry 23.6.2](https://github.com/getsentry/self-hosted/releases/tag/23.6.2).\n\n### Workarounds\n\nFor Sentry SaaS customers, no action is needed.\n\nFor self-hosted Sentry installations that have `system.base-hostname` explicitly set, it is recommended to upgrade the installation to 23.6.2 or higher. There are no known workarounds.\n\n### References\n- [getsentry/sentry PR #52276](https://github.com/getsentry/sentry/pull/52276)\n\n### Credits\n- [@andr0idp4r4n0id](https://twitter.com/andr0idp4r4n0id)",
"id": "GHSA-4xqm-4p72-87h6",
"modified": "2023-07-06T22:55:44Z",
"published": "2023-07-06T22:55:44Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/getsentry/sentry/security/advisories/GHSA-4xqm-4p72-87h6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36829"
},
{
"type": "WEB",
"url": "https://github.com/getsentry/sentry/pull/52276"
},
{
"type": "WEB",
"url": "https://github.com/getsentry/sentry/commit/19248fb9802c252665b802aeab02fdc65ed47dc9"
},
{
"type": "WEB",
"url": "https://github.com/getsentry/sentry/commit/ee44c6be35e5e464bc40637580f39867898acd8b"
},
{
"type": "WEB",
"url": "https://github.com/getsentry/self-hosted/releases/tag/23.6.2"
},
{
"type": "PACKAGE",
"url": "https://github.com/getsentry/sentry"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/sentry/PYSEC-2023-115.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Sentry CORS misconfiguration"
}
GHSA-5FR5-2C3F-3FCR
Vulnerability from github – Published: 2026-06-19 00:31 – Updated: 2026-06-19 00:31PraisonAI before 1.5.128 contains a cross-origin agent execution vulnerability in the AGUI endpoint that allows remote attackers to trigger arbitrary agent execution. The POST /agui endpoint lacks authentication and hardcodes Access-Control-Allow-Origin: * headers, combined with Starlette's Content-Type-agnostic JSON parsing, enabling attackers to bypass CORS preflight checks via simple requests and exfiltrate sensitive agent responses including tool execution results and environment data.
{
"affected": [],
"aliases": [
"CVE-2026-56076"
],
"database_specific": {
"cwe_ids": [
"CWE-942"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-18T23:16:19Z",
"severity": "HIGH"
},
"details": "PraisonAI before 1.5.128 contains a cross-origin agent execution vulnerability in the AGUI endpoint that allows remote attackers to trigger arbitrary agent execution. The POST /agui endpoint lacks authentication and hardcodes Access-Control-Allow-Origin: * headers, combined with Starlette\u0027s Content-Type-agnostic JSON parsing, enabling attackers to bypass CORS preflight checks via simple requests and exfiltrate sensitive agent responses including tool execution results and environment data.",
"id": "GHSA-5fr5-2c3f-3fcr",
"modified": "2026-06-19T00:31:37Z",
"published": "2026-06-19T00:31:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-x462-jjpc-q4q4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56076"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/praisonai-cross-origin-agent-execution-via-hardcoded-wildcard-cors-and-missing-authentication-on-agui-endpoint"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-5QWW-R3F5-W3W9
Vulnerability from github – Published: 2023-02-01 15:30 – Updated: 2023-02-08 21:30Last Yard 22.09.8-1 is vulnerable to Cross-origin resource sharing (CORS).
{
"affected": [],
"aliases": [
"CVE-2022-47717"
],
"database_specific": {
"cwe_ids": [
"CWE-668",
"CWE-942"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-01T14:15:00Z",
"severity": "HIGH"
},
"details": "Last Yard 22.09.8-1 is vulnerable to Cross-origin resource sharing (CORS).",
"id": "GHSA-5qww-r3f5-w3w9",
"modified": "2023-02-08T21:30:19Z",
"published": "2023-02-01T15:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47717"
},
{
"type": "WEB",
"url": "https://github.com/l00neyhacker/CVE-2022-47717"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-62GP-CQPW-RGH4
Vulnerability from github – Published: 2024-11-11 21:31 – Updated: 2024-11-11 21:31In Gliffy Online an insecure configuration was discovered in versions before 4.14.0-6
{
"affected": [],
"aliases": [
"CVE-2024-10315"
],
"database_specific": {
"cwe_ids": [
"CWE-942"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-11T20:15:17Z",
"severity": "MODERATE"
},
"details": "In Gliffy Online an insecure configuration was discovered in versions before 4.14.0-6",
"id": "GHSA-62gp-cqpw-rgh4",
"modified": "2024-11-11T21:31:48Z",
"published": "2024-11-11T21:31:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10315"
},
{
"type": "WEB",
"url": "https://portal.perforce.com/s/detail/a91PA000001SZVJYA4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
Strategy: Attack Surface Reduction
Define a restrictive Content Security Policy [REF-1486] or cross-domain policy file.
Mitigation
Strategy: Attack Surface Reduction
Avoid using wildcards in the CSP / cross-domain policy file. Any domain matching the wildcard expression will be implicitly trusted, and can perform two-way interaction with the target server.
Mitigation
Strategy: Environment Hardening
For Flash, modify crossdomain.xml to use meta-policy options such as 'master-only' or 'none' to reduce the possibility of an attacker planting extraneous cross-domain policy files on a server.
No CAPEC attack patterns related to this CWE.