Total
437 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2014-1502 | 5 Mozilla, Opensuse, Opensuse Project and 2 more | 8 Firefox, Seamonkey, Opensuse and 5 more | 2025-04-12 | 6.8 MEDIUM | N/A |
|
The (1) WebGL.compressedTexImage2D and (2) WebGL.compressedTexSubImage2D functions in Mozilla Firefox before 28.0 and SeaMonkey before 2.25 allow remote attackers to bypass the Same Origin Policy and render content in a different domain via unspecified vectors.
|
|||||
| CVE-2017-20146 | 1 Gorillatoolkit | 1 Handlers | 2025-04-11 | N/A | 9.8 CRITICAL |
|
Usage of the CORS handler may apply improper CORS headers, allowing the requester to explicitly control the value of the Access-Control-Allow-Origin header, which bypasses the expected behavior of the Same Origin Policy.
|
|||||
| CVE-2011-3072 | 1 Google | 1 Chrome | 2025-04-11 | 6.8 MEDIUM | N/A |
|
Google Chrome before 18.0.1025.151 allows remote attackers to bypass the Same Origin Policy via vectors related to pop-up windows.
|
|||||
| CVE-2011-2856 | 1 Google | 1 Chrome | 2025-04-11 | 7.5 HIGH | N/A |
|
Google V8, as used in Google Chrome before 14.0.835.163, allows remote attackers to bypass the Same Origin Policy via unspecified vectors.
|
|||||
| CVE-2011-3956 | 1 Google | 1 Chrome | 2025-04-11 | 6.8 MEDIUM | N/A |
|
The extension implementation in Google Chrome before 17.0.963.46 does not properly handle sandboxed origins, which might allow remote attackers to bypass the Same Origin Policy via a crafted extension.
|
|||||
| CVE-2011-3056 | 3 Apple, Google, Opensuse | 4 Iphone Os, Safari, Chrome and 1 more | 2025-04-11 | 6.8 MEDIUM | N/A |
|
Google Chrome before 17.0.963.83 allows remote attackers to bypass the Same Origin Policy via vectors involving a "magic iframe."
|
|||||
| CVE-2012-4193 | 4 Canonical, Mozilla, Redhat and 1 more | 12 Ubuntu Linux, Firefox, Seamonkey and 9 more | 2025-04-11 | 6.8 MEDIUM | N/A |
|
Mozilla Firefox before 16.0.1, Firefox ESR 10.x before 10.0.9, Thunderbird before 16.0.1, Thunderbird ESR 10.x before 10.0.9, and SeaMonkey before 2.13.1 omit a security check in the defaultValue function during the unwrapping of security wrappers, which allows remote attackers to bypass the Same Origin Policy and read the properties of a Location object, or execute arbitrary JavaScript code, via a crafted web site.
|
|||||
| CVE-2011-3067 | 2 Apple, Google | 3 Iphone Os, Safari, Chrome | 2025-04-11 | 6.8 MEDIUM | N/A |
|
Google Chrome before 18.0.1025.151 allows remote attackers to bypass the Same Origin Policy via vectors related to replacement of IFRAME elements.
|
|||||
| CVE-2023-22899 | 1 Zip4j Project | 1 Zip4j | 2025-04-09 | N/A | 5.9 MEDIUM |
|
Zip4j through 2.11.2, as used in Threema and other products, does not always check the MAC when decrypting a ZIP archive.
|
|||||
| CVE-2009-1185 | 7 Canonical, Debian, Fedoraproject and 4 more | 9 Ubuntu Linux, Debian Linux, Fedora and 6 more | 2025-04-09 | 7.2 HIGH | N/A |
|
udev before 1.4.1 does not verify whether a NETLINK message originates from kernel space, which allows local users to gain privileges by sending a NETLINK message from user space.
|
|||||
| CVE-2021-33959 | 1 Plex | 1 Media Server | 2025-04-04 | N/A | 7.5 HIGH |
|
Plex media server 1.21 and before is vulnerable to ddos reflection attack via plex service.
|
|||||
| CVE-2025-23109 | 1 Mozilla | 1 Firefox | 2025-04-03 | N/A | 6.5 MEDIUM |
|
Long hostnames in URLs could be leveraged to obscure the actual host of the website or spoof the website address This vulnerability affects Firefox for iOS < 134.
|
|||||
| CVE-2000-1218 | 1 Microsoft | 5 Windows 2000, Windows 98, Windows 98se and 2 more | 2025-04-03 | 7.5 HIGH | 9.8 CRITICAL |
|
The default configuration for the domain name resolver for Microsoft Windows 98, NT 4.0, 2000, and XP sets the QueryIpMatching parameter to 0, which causes Windows to accept DNS updates from hosts that it did not query, which allows remote attackers to poison the DNS cache.
|
|||||
| CVE-2003-0981 | 1 Freescripts | 1 Visitorbook Le | 2025-04-03 | 4.3 MEDIUM | 6.1 MEDIUM |
|
FreeScripts VisitorBook LE (visitorbook.pl) logs the reverse DNS name of a visiting host, which allows remote attackers to spoof the origin of their incoming requests and facilitate cross-site scripting (XSS) attacks.
|
|||||
| CVE-2005-0877 | 1 Thekelleys | 1 Dnsmasq | 2025-04-03 | 5.0 MEDIUM | 7.5 HIGH |
|
Dnsmasq before 2.21 allows remote attackers to poison the DNS cache via answers to queries that were not made by Dnsmasq.
|
|||||
| CVE-2001-1452 | 1 Microsoft | 2 Windows 2000, Windows Nt | 2025-04-03 | 5.0 MEDIUM | 7.5 HIGH |
|
By default, DNS servers on Windows NT 4.0 and Windows 2000 Server cache glue records received from non-delegated name servers, which allows remote attackers to poison the DNS cache via spoofed DNS responses.
|
|||||
| CVE-1999-1549 | 1 Lynx Project | 1 Lynx | 2025-04-03 | 5.0 MEDIUM | 7.8 HIGH |
|
Lynx 2.x does not properly distinguish between internal and external HTML, which may allow a local attacker to read a "secure" hidden form value from a temporary file and craft a LYNXOPTIONS: URL that causes Lynx to modify the user's configuration file and execute commands.
|
|||||
| CVE-2003-0174 | 1 Sgi | 1 Irix | 2025-04-03 | 7.5 HIGH | 9.8 CRITICAL |
|
The LDAP name service (nsd) in IRIX 6.5.19 and earlier does not properly verify if the USERPASSWORD attribute has been provided by an LDAP server, which could allow attackers to log in without a password.
|
|||||
| CVE-2024-8487 | 1 Modelscope | 1 Agentscope | 2025-04-01 | N/A | 9.8 CRITICAL |
|
A Cross-Origin Resource Sharing (CORS) vulnerability exists in modelscope/agentscope version v0.0.4. The CORS configuration on the agentscope server does not properly restrict access to only trusted origins, allowing any external domain to make requests to the API. This can lead to unauthorized data access, information disclosure, and potential further exploitation, thereby compromising the integrity and confidentiality of the system.
|
|||||
| CVE-2024-45352 | 2025-03-27 | N/A | 8.8 HIGH | ||
|
An code execution vulnerability exists in the Xiaomi smarthome application product. The vulnerability is caused by improper input validation and can be exploited by attackers to execute malicious code.
|
|||||
| CVE-2024-45354 | 2025-03-27 | N/A | 4.3 MEDIUM | ||
|
A code execution vulnerability exists in the Xiaomi shop applicationproduct. The vulnerability is caused by improper input validation and can be exploited by attackers to execute malicious code.
|
|||||
| CVE-2024-45353 | 2025-03-27 | N/A | 4.3 MEDIUM | ||
|
An intent redriction vulnerability exists in the Xiaomi quick App framework application product. The vulnerability is caused by improper input validation and can be exploited by attackers tointent redriction.
|
|||||
| CVE-2024-36303 | 1 Trendmicro | 1 Apex One | 2025-03-25 | N/A | 7.8 HIGH |
|
An origin validation vulnerability in the Trend Micro Apex One security agent could allow a local attacker to escalate privileges on affected installations.
Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
This vulnerability is similar to, but not identical to, CVE-2024-36302.
|
|||||
| CVE-2025-25302 | 1 Danielgatis | 1 Rembg | 2025-03-21 | N/A | 6.5 MEDIUM |
|
Rembg is a tool to remove images background. In Rembg 2.0.57 and earlier, the CORS middleware is setup incorrectly. All origins are reflected, which allows any website to send cross site requests to the rembg server and thus query any API. Even if authentication were to be enabled, allow_credentials is set to True, which would allow any website to send authenticated cross site requests.
|
|||||
| CVE-2023-0132 | 2 Google, Microsoft | 2 Chrome, Windows | 2025-03-20 | N/A | 6.5 MEDIUM |
|
Inappropriate implementation in in Permission prompts in Google Chrome on Windows prior to 109.0.5414.74 allowed a remote attacker to force acceptance of a permission prompt via a crafted HTML page. (Chromium security severity: Medium)
|
|||||
| CVE-2024-8183 | 2025-03-20 | N/A | 7.6 HIGH | ||
|
A CORS (Cross-Origin Resource Sharing) misconfiguration in prefecthq/prefect version 2.20.2 allows unauthorized domains to access sensitive data. This vulnerability can lead to unauthorized access to the database, resulting in potential data leaks, loss of confidentiality, service disruption, and data integrity risks.
|
|||||
| CVE-2024-7819 | 2025-03-20 | N/A | 7.4 HIGH | ||
|
A CORS misconfiguration in danswer-ai/danswer v1.4.1 allows attackers to steal sensitive information such as chat contents, API keys, and other data. This vulnerability occurs due to improper validation of the origin header, enabling malicious web pages to make unauthorized requests to the application's API.
|
|||||
| CVE-2024-11602 | 2025-03-20 | N/A | 7.4 HIGH | ||
|
A Cross-Origin Resource Sharing (CORS) vulnerability exists in feast-dev/feast version 0.40.0. The CORS configuration on the agentscope server does not properly restrict access to only trusted origins, allowing any external domain to make requests to the API. This can bypass intended security controls and potentially expose sensitive information.
|
|||||
| CVE-2025-21511 | 1 Oracle | 1 Jd Edwards Enterpriseone Tools | 2025-03-17 | N/A | 7.5 HIGH |
|
Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime SEC). Supported versions that are affected are Prior to 9.2.9.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all JD Edwards EnterpriseOne Tools accessible data. CVSS 3.1 Base Score 7 ...
Show More |
|||||
| CVE-2024-21245 | 1 Oracle | 1 Jd Edwards Enterpriseone Tools | 2025-03-17 | N/A | 5.4 MEDIUM |
|
Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Business Logic Infra SEC). Supported versions that are affected are Prior to 9.2.9.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in JD Edwards EnterpriseOne Tools, attacks may significantly impac ...
Show More |
|||||
| CVE-2025-2346 | 2025-03-16 | 5.1 MEDIUM | 5.6 MEDIUM | ||
|
A vulnerability has been found in IROAD Dash Cam X5 and Dash Cam X6 up to 20250308 and classified as problematic. This vulnerability affects unknown code of the component Domain Handler. The manipulation of the argument Domain Name leads to origin validation error. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult.
|
|||||
| CVE-2024-41143 | 1 Skygroup | 1 Skysea Client View | 2025-03-14 | N/A | 7.8 HIGH |
|
Origin validation error vulnerability exists in SKYSEA Client View Ver.3.013.00 to Ver.19.210.04e. If this vulnerability is exploited, an arbitrary process may be executed with SYSTEM privilege by a user who can log in to the PC where the product's Windows client is installed.
|
|||||
| CVE-2025-23117 | 2025-03-05 | N/A | 6.8 MEDIUM | ||
|
An Insufficient Firmware Update Validation vulnerability could allow an authenticated malicious actor with access to UniFi Protect Cameras adjacent network to make unsupported changes to the camera system.
|
|||||
| CVE-2023-26114 | 1 Coder | 1 Code-server | 2025-02-25 | N/A | 8.2 HIGH |
|
Versions of the package code-server before 4.10.1 are vulnerable to Missing Origin Validation in WebSockets handshakes. Exploiting this vulnerability can allow an adversary in specific scenarios to access data from and connect to the code-server instance.
|
|||||
| CVE-2023-5973 | 1 Broadcom | 1 Fabric Operating System | 2025-02-13 | N/A | 4.3 MEDIUM |
|
Brocade
Web Interface in Brocade Fabric OS v9.x and before v9.2.0 does not
properly represent the portName to the user if the portName contains
reserved characters. This could allow an authenticated user to alter the
UI of the Brocade Switch and change ports display.
|
|||||
| CVE-2024-25124 | 1 Gofiber | 1 Fiber | 2025-02-05 | N/A | 9.4 CRITICAL |
|
Fiber is a web framework written in go. Prior to version 2.52.1, the CORS middleware allows for insecure configurations that could potentially expose the application to multiple CORS-related vulnerabilities. Specifically, it allows setting the Access-Control-Allow-Origin header to a wildcard (`*`) while also having the Access-Control-Allow-Credentials set to true, which goes against recommended security best practices. The impact of this misconfiguration is high as it can lead to unauthorized ac ...
Show More |
|||||
| CVE-2023-46715 | 1 Fortinet | 1 Fortios | 2025-01-31 | N/A | 5.0 MEDIUM |
|
An origin validation error [CWE-346] vulnerability in Fortinet FortiOS IPSec VPN version 7.4.0 through 7.4.1 and version 7.2.6 and below allows an authenticated IPSec VPN user with dynamic IP addressing to send (but not receive) packets spoofing the IP of another user via crafted network packets.
|
|||||
| CVE-2023-2445 | 1 Devolutions | 1 Devolutions Server | 2025-01-30 | N/A | 4.9 MEDIUM |
|
Improper access control in Subscriptions Folder path filter in Devolutions Server 2023.1.1 and earlier allows attackers with administrator privileges to retrieve usage information on folders in user vaults via a specific folder name.
|
|||||
| CVE-2023-29868 | 1 Zammad | 1 Zammad | 2025-01-30 | N/A | 6.5 MEDIUM |
|
Zammad 5.3.x (Fixed in 5.4.0) is vulnerable to Incorrect Access Control. An authenticated attacker with agent and customer roles could perform unauthorized changes on articles where they only have customer permissions.
|
|||||
| CVE-2023-29867 | 1 Zammad | 1 Zammad | 2025-01-30 | N/A | 6.5 MEDIUM |
|
Zammad 5.3.x (Fixed 5.4.0) is vulnerable to Incorrect Access Control. An authenticated attacker could gain information about linked accounts of users involved in their tickets using the Zammad API.
|
|||||