CWE-346
Origin Validation Error
ClassDraft
Description
The product does not properly verify that the source of data or communication is valid.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-111 · CAPEC-141 · CAPEC-142 · CAPEC-160 · CAPEC-21 · CAPEC-384 · CAPEC-385 · CAPEC-386 · CAPEC-387 · CAPEC-388 · CAPEC-510 · CAPEC-59 · CAPEC-60 · CAPEC-75 · CAPEC-76 · CAPEC-89
CVEs mapped to this weakness (99)
page 1 of 5| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2015-4495 | Hig | 0.78 | 8.8 | 0.72 | KEV | Aug 8, 2015 | The PDF reader in Mozilla Firefox before 39.0.3, Firefox ESR 38.x before 38.1.1, and Firefox OS before 2.2 allows remote attackers to bypass the Same Origin Policy, and read arbitrary files or gain privileges, via vectors involving crafted JavaScript code and a native setter, as exploited in the wild in August 2015. |
| CVE-2025-9265 | Cri | 0.65 | — | 0.00 | Oct 13, 2025 | A broken authorization vulnerability in Kiloview NDI N30 allows a remote unauthenticated attacker to deactivate user verification, giving them access to state changing actions that should only be initiated by administratorsThis issue affects Kiloview NDI N30 and was fixed in Firmware version later than 2.02.0246 | |
| CVE-2026-2790 | Cri | 0.64 | 9.8 | 0.00 | Feb 24, 2026 | Same-origin policy bypass in the Networking: JAR component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. | |
| CVE-2025-30466 | Cri | 0.64 | 9.8 | 0.00 | May 29, 2025 | This issue was addressed through improved state management. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, visionOS 2.4. A website may be able to bypass Same Origin Policy. | |
| CVE-2003-0174 | Cri | 0.64 | 9.8 | 0.00 | May 12, 2003 | The LDAP name service (nsd) in IRIX 6.5.19 and earlier does not properly verify if the USERPASSWORD attribute has been provided by an LDAP server, which could allow attackers to log in without a password. | |
| CVE-2000-1218 | Cri | 0.64 | 9.8 | 0.02 | Apr 14, 2000 | The default configuration for the domain name resolver for Microsoft Windows 98, NT 4.0, 2000, and XP sets the QueryIpMatching parameter to 0, which causes Windows to accept DNS updates from hosts that it did not query, which allows remote attackers to poison the DNS cache. | |
| CVE-2025-3651 | Cri | 0.60 | — | 0.00 | Apr 17, 2025 | Improper Verification of Source of a Communication Channel in Work Desktop for Mac versions 10.8.1.46 and earlier allows attackers to execute arbitrary commands via unauthorized access to the Agent service. This has been remediated in Work Desktop for Mac version 10.8.2.33. | |
| CVE-2026-35408 | Hig | 0.57 | 8.7 | 0.00 | Apr 6, 2026 | Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus's Single Sign-On (SSO) login pages lacked a Cross-Origin-Opener-Policy (COOP) HTTP response header. Without this header, a malicious cross-origin window that opens the Directus login page retains the ability to access and manipulate the window object of that page. An attacker can exploit this to intercept and redirect the OAuth authorization flow to an attacker-controlled OAuth client, causing the victim to unknowingly grant access to their authentication provider account (e.g. Google, Discord). This vulnerability is fixed in 11.17.0. | |
| CVE-2022-50975 | Hig | 0.57 | 8.8 | 0.00 | Feb 2, 2026 | An unauthenticated remote attacker is able to use an existing session id of a logged in user and gain full access to the device if configuration via ethernet is enabled. | |
| CVE-2024-45352 | Hig | 0.57 | 8.8 | 0.00 | Mar 27, 2025 | An code execution vulnerability exists in the Xiaomi smarthome application product. The vulnerability is caused by improper input validation and can be exploited by attackers to execute malicious code. | |
| CVE-2021-47157 | Cri | 0.57 | 9.8 | 0.00 | Mar 18, 2024 | The Kossy module before 0.60 for Perl allows JSON hijacking because of X-Requested-With mishandling. | |
| CVE-2025-59159 | Cri | 0.55 | 9.6 | 0.00 | Oct 6, 2025 | SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. In versions prior to 1.13.4, the web user interface for SillyTavern is susceptible to DNS rebinding, allowing attackers to perform actions like install malicious extensions, read chats, inject arbitrary HTML for phishing attacks, etc. The vulnerability has been patched in the version 1.13.4 by introducing a server configuration setting that enables a validation of host names in inbound HTTP requests according to the provided list of allowed hosts: `hostWhitelist.enabled` in config.yaml file or `SILLYTAVERN_HOSTWHITELIST_ENABLED` environment variable. While the setting is disabled by default to honor a wide variety of existing user configurations and maintain backwards compatibility, existing and new users are encouraged to review their server configurations and apply necessary changes to their setup, especially if hosting over the local network while not using SSL. | |
| CVE-2025-3462 | Hig | 0.55 | — | 0.00 | May 9, 2025 | "This issue is limited to motherboards and does not affect laptops, desktop computers, or other endpoints." An insufficient validation in ASUS DriverHub may allow unauthorized sources to interact with the software's features via crafted HTTP requests. Refer to the 'Security Update for ASUS DriverHub' section on the ASUS Security Advisory for more information. | |
| CVE-2025-9180 | Hig | 0.53 | 8.1 | 0.00 | Aug 19, 2025 | Same-origin policy bypass in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 142, Firefox ESR 115.27, Firefox ESR 128.14, Firefox ESR 140.2, Thunderbird 142, Thunderbird 128.14, and Thunderbird 140.2. | |
| CVE-2019-25211 | Cri | 0.52 | 9.1 | 0.00 | Jun 29, 2024 | parseWildcardRules in Gin-Gonic CORS middleware before 1.6.0 mishandles a wildcard at the end of an origin string, e.g., https://example.community/* is allowed when the intention is that only https://example.com/* should be allowed, and http://localhost.example.com/* is allowed when the intention is that only http://localhost/* should be allowed. | |
| CVE-2026-20893 | Hig | 0.51 | 7.8 | 0.00 | Jan 7, 2026 | Origin validation error issue exists in Fujitsu Security Solution AuthConductor Client Basic V2 2.0.25.0 and earlier. If this vulnerability is exploited, an attacker who can log in to the Windows system where the affected product is installed may execute arbitrary code with SYSTEM privilege and/or modify the registry value. | |
| CVE-1999-1549 | Hig | 0.51 | 7.8 | 0.00 | Nov 16, 1999 | Lynx 2.x does not properly distinguish between internal and external HTML, which may allow a local attacker to read a "secure" hidden form value from a temporary file and craft a LYNXOPTIONS: URL that causes Lynx to modify the user's configuration file and execute commands. | |
| CVE-2026-34373 | Hig | 0.50 | 8.8 | 0.00 | Mar 31, 2026 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.66 and 9.7.0-alpha.10, the GraphQL API endpoint does not respect the allowOrigin server option and unconditionally allows cross-origin requests from any website. This bypasses origin restrictions that operators configure to control which websites can interact with the Parse Server API. The REST API correctly enforces the configured allowOrigin restriction. This issue has been patched in versions 8.6.66 and 9.7.0-alpha.10. | |
| CVE-2026-6903 | Hig | 0.49 | 7.5 | 0.00 | Apr 23, 2026 | The LabOne Web Server, backing the LabOne User Interface, contains insufficient input validation in its file access functionality. An unauthenticated attacker could exploit this vulnerability to read arbitrary files on the host system that are accessible to the operating system user running the LabOne software. Additionally, the Web Server does not sufficiently restrict cross-origin requests, which could allow a remote attacker to trigger file access from a victim's browser by directing the victim to a malicious website. The vulnerability is only exploitable when the LabOne Web Server is running. Installations using only the LabOne APIs without starting the Web Server are not exposed. | |
| CVE-2026-33697 | Hig | 0.49 | 7.5 | 0.00 | Mar 27, 2026 | Cocos AI is a confidential computing system for AI. The current implementation of attested TLS (aTLS) in CoCoS is vulnerable to a relay attack affecting all versions from v0.4.0 through v0.8.2. This vulnerability is present in both the AMD SEV-SNP and Intel TDX deployment targets supported by CoCoS. In the affected design, an attacker may be able to extract the ephemeral TLS private key used during the intra-handshake attestation. Because the attestation evidence is bound to the ephemeral key but not to the TLS channel, possession of that key is sufficient to relay or divert the attested TLS session. A client will accept the connection under false assumptions about the endpoint it is communicating with — the attestation report cannot distinguish the genuine attested service from the attacker's relay. This undermines the intended authentication guarantees of attested TLS. A successful attack may allow an attacker to impersonate an attested CoCoS service and access data or operations that the client intended to send only to the genuine attested endpoint. Exploitation requires the attacker to first extract the ephemeral TLS private key, which is possible through physical access to the server hardware, transient execution attacks, or side-channel attacks. Note that the aTLS implementation was fully redesigned in v0.7.0, but the redesign does not address this vulnerability. The relay attack weakness is architectural and affects all releases in the v0.4.0–v0.8.2 range. This vulnerability class was formally analyzed and demonstrated across multiple attested TLS implementations, including CoCoS, by researchers whose findings were disclosed to the IETF TLS Working Group. Formal verification was conducted using ProVerif. As of time of publication, there is no patch available. No complete workaround is available. The following hardening measures reduce but do not eliminate the risk: Keep TEE firmware and microcode up to date to reduce the key-extraction surface; define strict attestation policies that validate all available report fields, including firmware versions, TCB levels, and platform configuration registers; and/or enable mutual aTLS with CA-signed certificates where deployment architecture permits. |