Submit #574826: itwanger paicoding from version 1.0.0 to 1.0.3 Permissive Cross-domain Policy with Untrusted Domainsinfo

Titleitwanger paicoding from version 1.0.0 to 1.0.3 Permissive Cross-domain Policy with Untrusted Domains
DescriptionThe server’s CORS implementation reflects the client-supplied Origin header verbatim into Access-Control-Allow-Origin without any whitelist validation, while also enabling Access-Control-Allow-Credentials: true. This allows any malicious origin to make authenticated cross-origin requests and read sensitive responses. Project Link: https://github.com/itwanger/paicoding Affected Version: from version 1.0.0 to 1.0.3 Affected API: backend apis such as http://localhost:8080/admin/user/info Code Location: /paicoding-core/src/main/java/com/github/paicoding/forum/core/util/CrossUtil.java:20
Source⚠️ https://github.com/ShenxiuSec/cve-proofs/blob/main/POC-20250510-02.md
User
 ShenxiuSecurity (UID 84374)
Submission05/10/2025 02:24 (1 Year ago)
Moderation05/16/2025 16:40 (7 days later)
StatusAccepted
VulDB entry309307 [itwanger paicoding 1.0.0/1.0.1/1.0.2/1.0.3 CrossUtil.java cross-domain policy]
Points20

PreviousOverviewNext

Do you want to use VulDB in your project?

Use the official API to access entries easily!