Submeter #567214: freeebird hotel 1.2 branch Permissive Cross-domain Policy with Untrusted Domainsinformação

Títulofreeebird hotel 1.2 branch Permissive Cross-domain Policy with Untrusted Domains
DescriçãoThe server’s CORS implementation reflects the client-supplied Origin header verbatim into Access-Control-Allow-Origin without any whitelist validation, while also enabling Access-Control-Allow-Credentials: true. This allows any malicious origin to make authenticated cross-origin requests and read sensitive responses. Project Link: https://github.com/freeebird/hotel Affected Version: 1.2 branch Affected API: apis start with http://localhost:8080/ho-api such as http://localhost:8080/ho-api/user/profile Code Location: /src/main/java/cn/mafangui/hotel/tool/SessionInterceptor.java:35
Fonte⚠️ https://github.com/ShenxiuSec/cve-proofs/blob/main/POC-20250429-01.md
Utilizador
 ShenxiuSecurity (UID 84374)
Submissão29/04/2025 15h08 (há 1 Ano)
Moderação10/05/2025 15h48 (11 days later)
EstadoAceite
Entrada VulDB308288 [Freeebird Hotel 酒店管理系统 API até 1.2 SessionInterceptor.java Elevação de Privilégios]
Pontos20

VoltarVisão GeralPróximo

Want to stay up to date on a daily basis?

Enable the mail alert feature now!