Total
73 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-25234 | 1 Omnissa | 1 Unified Access Gateway | 2025-04-21 | N/A | 7.1 HIGH |
| Omnissa UAG contains a Cross-Origin Resource Sharing (CORS) bypass vulnerability. A malicious actor with network access to UAG may be able to bypass administrator-configured CORS restrictions to gain access to sensitive networks. | |||||
| CVE-2022-31736 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2025-04-15 | N/A | 9.8 CRITICAL |
| A malicious website could have learned the size of a cross-origin resource that supported Range requests. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10. | |||||
| CVE-2022-26969 | 1 Monospace | 1 Directus | 2025-04-14 | N/A | 9.8 CRITICAL |
| In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true. | |||||
| CVE-2023-23128 | 1 Connectwise | 1 Connectwise | 2025-03-27 | N/A | 6.1 MEDIUM |
| Connectwise Control 22.8.10013.8329 is vulnerable to Cross Origin Resource Sharing (CORS). The vendor's position is that two endpoints have Access-Control-Allow-Origin wildcarding to support product functionality, and that there is no risk from this behavior. The vulnerability report is thus not valid. | |||||
| CVE-2022-47717 | 1 Lastyard | 1 Last Yard | 2025-03-27 | N/A | 7.5 HIGH |
| Last Yard 22.09.8-1 is vulnerable to Cross-origin resource sharing (CORS). | |||||
| CVE-2023-23464 | 1 Mediacp | 1 Media Control Panel | 2025-03-19 | N/A | 8.1 HIGH |
| Media CP Media Control Panel latest version. A Permissive Flash Cross-domain Policy may allow information disclosure. | |||||
| CVE-2023-38122 | 1 Inductiveautomation | 1 Ignition | 2025-03-12 | N/A | 7.2 HIGH |
| Inductive Automation Ignition OPC UA Quick Client Permissive Cross-domain Policy Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the configuration of the web server. The issue results from the lack of appropriate Content Security Policy headers. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of SYSTEM. Was ZDI-CAN-20539. | |||||
| CVE-2024-21382 | 2 Google, Microsoft | 2 Android, Edge Chromium | 2024-11-21 | N/A | 4.3 MEDIUM |
| Microsoft Edge for Android Information Disclosure Vulnerability | |||||
| CVE-2023-46281 | 1 Siemens | 4 Opcenter Quality, Simatic Pcs Neo, Sinumerik Integrate Runmyhmi \/automotive and 1 more | 2024-11-21 | N/A | 7.1 HIGH |
| A vulnerability has been identified in Opcenter Execution Foundation (All versions < V2407), Opcenter Quality (All versions < V2312), SIMATIC PCS neo (All versions < V4.1), SINEC NMS (All versions < V2.0 SP1), Totally Integrated Automation Portal (TIA Portal) V14 (All versions), Totally Integrated Automation Portal (TIA Portal) V15.1 (All versions), Totally Integrated Automation Portal (TIA Portal) V16 (All versions), Totally Integrated Automation Portal (TIA Portal) V17 (All versions < V17 Update 8), Totally Integrated Automation Portal (TIA Portal) V18 (All versions < V18 Update 3). When accessing the UMC Web-UI from affected products, UMC uses an overly permissive CORS policy. This could allow an attacker to trick a legitimate user to trigger unwanted behavior. | |||||
| CVE-2024-45642 | 2 Ibm, Linux | 2 Security Qradar Edr, Linux Kernel | 2024-11-16 | N/A | 5.3 MEDIUM |
| IBM Security ReaQta 3.12 is vulnerable to cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | |||||
| CVE-2024-6449 | 1 Hyperview | 1 Geoportal Toolkit | 2024-09-12 | N/A | 6.5 MEDIUM |
| HyperView Geoportal Toolkit in versions lower than 8.5.0 does not restrict cross-domain requests when fetching remote content pointed by one of GET request parameters. An unauthenticated remote attacker can prepare links, which upon opening will load scripts from a remote location controlled by the attacker and execute them in the user space. By manipulating this parameter it is also possible to enumerate some of the devices in Local Area Network in which the server resides. | |||||
| CVE-2024-41657 | 1 Casbin | 1 Casdoor | 2024-08-28 | N/A | 8.8 HIGH |
| Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. In Casdoor 1.577.0 and earlier, a logic vulnerability exists in the beego filter CorsFilter that allows any website to make cross domain requests to Casdoor as the logged in user. Due to the a logic error in checking only for a prefix when authenticating the Origin header, any domain can create a valid subdomain with a valid subdomain prefix (Ex: localhost.example.com), allowing the website to make requests to Casdoor as the current signed-in user. | |||||
| CVE-2024-32862 | 1 Johnsoncontrols | 1 Exacqvision Web Service | 2024-08-09 | N/A | 8.1 HIGH |
| Under certain circumstances the ExacqVision Web Services does not provide sufficient protection from untrusted domains. | |||||