Mindskip xzs-mysql 学之思开源考试系统 CORS cross-domain policy
Description
Mindskip xzs-mysql 3.9.0 has an overly permissive CORS configuration that allows attackers to make authenticated cross-origin requests, potentially leading to data exposure or unauthorized actions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Mindskip xzs-mysql 3.9.0 has an overly permissive CORS configuration that allows attackers to make authenticated cross-origin requests, potentially leading to data exposure or unauthorized actions.
Vulnerability
CVE-2025-1083 affects Mindskip xzs-mysql (学之思开源考试系统) version 3.9.0. The vulnerability resides in the CORS handler, which is configured to reflect arbitrary Origin headers supplied by the client and to set Access-Control-Allow-Credentials: true. This permissive cross-domain policy (CWE-942, CWE-346) allows any untrusted domain to make cross-origin requests that include cookies and other credentials, effectively removing the browser’s Same-Origin Policy protection for the affected endpoints. Multiple endpoints, including /api/user/login, are known to be exposed [1].
Exploitation
The attacker must lure an authenticated victim into visiting a malicious page (e.g., http://evil.com). The attacker-controlled page then sends a crafted XMLHttpRequest or fetch call to the vulnerable target endpoint, with credentials: 'include'. The server reflects the attacker’s origin (Origin: http://evil.com) in the response header Access-Control-Allow-Origin: http://evil.com and includes Access-Control-Allow-Credentials: true. This allows the attacker’s script to read the response, which may contain sensitive user data or tokens. A proof-of-concept exists using tools like Burp Suite to demonstrate this behavior [1].
Impact
A successful attack can lead to the disclosure of sensitive user data, unauthorized API actions performed in the context of the victim’s session, and potential session hijacking if combined with session fixation or cookie theft. The attacker can obtain data from authenticated endpoints or perform state-changing operations on behalf of the victim without their consent [1].
Mitigation
As of the publication date, the vendor has not responded to the disclosure and no official patch or updated version has been released. The application remains vulnerable. A workaround is to manually configure the Access-Control-Allow-Origin header to a whitelist of trusted origins and remove the Access-Control-Allow-Credentials: true header unless absolutely necessary with specific origins. Reviewing and hardening the CORS middleware in the application’s configuration is strongly recommended [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Mindskip/xzs-mysql 学之思开源考试系统v5Range: 3.9.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application echoes back any Origin header value in the Access-Control-Allow-Origin response header without validating the domain, and sets Access-Control-Allow-Credentials: true, enabling cross-origin requests from arbitrary untrusted origins."
Attack vector
An attacker hosts a malicious page on an arbitrary domain (e.g., http://evil.com) and lures a victim who has an active authenticated session with the xzs-mysql application. When the victim's browser executes the attacker's JavaScript, it sends a cross-origin request to the application with Origin: http://evil.com. The server reflects that origin in Access-Control-Allow-Origin and includes Access-Control-Allow-Credentials: true [ref_id=1], causing the browser to permit the attacker's script to read the response, including session cookies and sensitive data. The attack is launched remotely but requires the victim to visit the attacker's page while authenticated, making exploitation more difficult than a direct network attack.
Affected code
The CORS handler in Mindskip xzs-mysql 3.9.0 is affected. Multiple endpoints are reachable, including /api/user/login [ref_id=1]. The exact implementation file is not identified in the advisory, but the behavior indicates a global CORS filter or interceptor that copies the Origin header into the response without validation.
What the fix does
No patch has been published by the vendor. The advisory [ref_id=1] recommends restricting the CORS policy to a whitelist of trusted origins, removing the dynamic reflection of the Origin header, and either disabling Access-Control-Allow-Credentials or limiting it to specific origins. Without a fix, administrators should configure a reverse proxy or web application firewall to enforce a strict CORS allowlist.
Preconditions
- authThe victim must have an active authenticated session (JSESSIONID cookie) with the xzs-mysql application.
- inputThe victim must visit a malicious page controlled by the attacker while the session is active.
- networkThe attacker's page must be able to send cross-origin requests to the application (no network-level blocking).
Reproduction
1. Capture a request to the xzs-mysql application (e.g., POST /api/user/login) in Burp Suite. 2. Modify the Origin header to http://evil.com (or any arbitrary domain). 3. Observe that the response includes Access-Control-Allow-Origin: http://evil.com and Access-Control-Allow-Credentials: true [ref_id=1]. 4. An attacker can host a page on http://evil.com that issues authenticated cross-origin requests to the application and reads the responses.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/cydtseng/Vulnerability-Research/blob/main/xzs-mysql/OverlyPermissiveCORS-Multiple.mdmitreexploit
- vuldb.commitrethird-party-advisory
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entry
News mentions
0No linked articles in our index yet.