VYPR

CWE-346

Origin Validation Error

ClassDraft

Description

The product does not properly verify that the source of data or communication is valid.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-141 · CAPEC-142 · CAPEC-160 · CAPEC-21 · CAPEC-384 · CAPEC-385 · CAPEC-386 · CAPEC-387 · CAPEC-388 · CAPEC-510 · CAPEC-59 · CAPEC-60 · CAPEC-75 · CAPEC-76 · CAPEC-89

CVEs mapped to this weakness (296)

page 15 of 15
  • CVE-2021-20199Feb 2, 2021
    risk 0.00cvss epss 0.01

    Rootless containers run with Podman, receive all traffic with a source IP address of 127.0.0.1 (including from remote hosts). This impacts containerized applications that trust localhost (127.0.01) connections by default and do not require authentication. This issue affects…

  • CVE-2020-28481Jan 19, 2021
    risk 0.00cvss epss 0.01

    The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.

  • CVE-2020-26253Dec 8, 2020
    risk 0.00cvss epss 0.01

    Kirby is a CMS. In Kirby CMS (getkirby/cms) before version 3.3.6, and Kirby Panel before version 2.5.14 there is a vulnerability in which the admin panel may be accessed if hosted on a .dev domain. In order to protect new installations on public servers that don't have an admin…

  • CVE-2020-11069May 13, 2020
    risk 0.00cvss epss 0.01

    In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has been discovered that the backend user interface and install tool are vulnerable to a same-site request forgery. A backend user can be tricked into interacting with a malicious resource an attacker previously…

  • CVE-2020-8818Feb 25, 2020
    risk 0.00cvss epss 0.04

    An issue was discovered in the CardGate Payments plugin through 2.0.30 for Magento 2. Lack of origin authentication in the IPN callback processing function in Controller/Payment/Callback.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret…

  • CVE-2019-11777Sep 11, 2019
    risk 0.00cvss epss 0.01

    In the Eclipse Paho Java client library version 1.2.0, when connecting to an MQTT server using TLS and setting a host name verifier, the result of that verification is not checked. This could allow one MQTT server to impersonate another and provide the client library with…

  • CVE-2019-9764Mar 26, 2019
    risk 0.00cvss epss 0.01

    HashiCorp Consul 1.4.3 lacks server hostname verification for agent-to-agent TLS communication. In other words, the product behaves as if verify_server_hostname were set to false, even when it is actually set to true. This is fixed in 1.4.4.

  • CVE-2018-20744Jan 28, 2019
    risk 0.00cvss epss 0.01

    The Olivier Poitrey Go CORS handler through 1.3.0 actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and could lead to CORS misconfiguration security problems.

  • CVE-2018-20745Jan 28, 2019
    risk 0.00cvss epss 0.01

    Yii 2.x through 2.0.15.1 actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and could lead to CORS misconfiguration security problems.

  • CVE-2014-1502Mar 19, 2014
    risk 0.00cvss epss 0.01

    The (1) WebGL.compressedTexImage2D and (2) WebGL.compressedTexSubImage2D functions in Mozilla Firefox before 28.0 and SeaMonkey before 2.25 allow remote attackers to bypass the Same Origin Policy and render content in a different domain via unspecified vectors.

  • CVE-2012-4193Oct 12, 2012
    risk 0.00cvss epss 0.01

    Mozilla Firefox before 16.0.1, Firefox ESR 10.x before 10.0.9, Thunderbird before 16.0.1, Thunderbird ESR 10.x before 10.0.9, and SeaMonkey before 2.13.1 omit a security check in the defaultValue function during the unwrapping of security wrappers, which allows remote attackers…

  • CVE-2011-3072Apr 5, 2012
    risk 0.00cvss epss 0.01

    Google Chrome before 18.0.1025.151 allows remote attackers to bypass the Same Origin Policy via vectors related to pop-up windows.

  • CVE-2011-3067Apr 5, 2012
    risk 0.00cvss epss 0.01

    Google Chrome before 18.0.1025.151 allows remote attackers to bypass the Same Origin Policy via vectors related to replacement of IFRAME elements.

  • CVE-2011-3056Mar 22, 2012
    risk 0.00cvss epss 0.01

    Google Chrome before 17.0.963.83 allows remote attackers to bypass the Same Origin Policy via vectors involving a "magic iframe."

  • CVE-2011-3956Feb 9, 2012
    risk 0.00cvss epss 0.01

    The extension implementation in Google Chrome before 17.0.963.46 does not properly handle sandboxed origins, which might allow remote attackers to bypass the Same Origin Policy via a crafted extension.

  • CVE-2011-2856Sep 19, 2011
    risk 0.00cvss epss 0.01

    Google V8, as used in Google Chrome before 14.0.835.163, allows remote attackers to bypass the Same Origin Policy via unspecified vectors.