| 제목 | itwanger paicoding from version 1.0.0 to 1.0.3 Permissive Cross-domain Policy with Untrusted Domains |
|---|
| 설명 | The server’s CORS implementation reflects the client-supplied Origin header verbatim into Access-Control-Allow-Origin without any whitelist validation, while also enabling Access-Control-Allow-Credentials: true. This allows any malicious origin to make authenticated cross-origin requests and read sensitive responses.
Project Link: https://github.com/itwanger/paicoding
Affected Version: from version 1.0.0 to 1.0.3
Affected API: backend apis such as http://localhost:8080/admin/user/info
Code Location: /paicoding-core/src/main/java/com/github/paicoding/forum/core/util/CrossUtil.java:20 |
|---|
| 원천 | ⚠️ https://github.com/ShenxiuSec/cve-proofs/blob/main/POC-20250510-02.md |
|---|
| 사용자 | ShenxiuSecurity (UID 84374) |
|---|
| 제출 | 2025. 05. 10. AM 02:24 (1 년도 ago) |
|---|
| 모더레이션 | 2025. 05. 16. PM 04:40 (7 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 309307 [itwanger paicoding 1.0.0/1.0.1/1.0.2/1.0.3 CrossUtil.java 권한 상승] |
|---|
| 포인트들 | 20 |
|---|