Exploit Intelligence Platform – 370K+ CVEs, Ranked Exploits & EPSS Scores

CVE-2022-22757 6.5 MEDIUM EPSS 0.00

Mozilla Firefox < 97.0 - Origin Validation Error

Remote Agent, used in WebDriver, did not validate the Host or Origin headers. This could have allowed websites to connect back locally to the user's browser to control it. <br>*This bug only affected Firefox when WebDriver was enabled, which is not the default configuration.*. This vulnerability affects Firefox < 97.

CWE-345 Dec 22, 2022

CVE-2022-1520 4.3 MEDIUM EPSS 0.00

Mozilla Thunderbird < 91.9 - Origin Validation Error

When viewing an email message A, which contains an attached message B, where B is encrypted or digitally signed or both, Thunderbird may show an incorrect encryption or signature status. After opening and viewing the attached message B, when returning to the display of message A, the message A might be shown with the security status of message B. This vulnerability affects Thunderbird < 91.9.

CWE-346 Dec 22, 2022

CVE-2022-41961 4.3 MEDIUM EPSS 0.00

Bigbluebutton < 2.4 - Origin Validation Error

BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6 are subject to Ineffective user bans. The attacker could register multiple users, and join the meeting with one of them. When that user is banned, they could still join the meeting with the remaining registered users from the same extId. This issue has been fixed by improving permissions such that banning a user removes all users related to their extId, including registered users that have not joined the meeting. This issue is patched in versions 2.4-rc-6 and 2.5-alpha-1. There are no workarounds.

CWE-345 Dec 16, 2022

CVE-2022-41924 9.6 CRITICAL 1 PoC Analysis EPSS 0.54

Tailscale < 1.32.3 - CSRF

A vulnerability identified in the Tailscale Windows client allows a malicious website to reconfigure the Tailscale daemon `tailscaled`, which can then be used to remotely execute code. In the Tailscale Windows client, the local API was bound to a local TCP socket, and communicated with the Windows client GUI in cleartext with no Host header verification. This allowed an attacker-controlled website visited by the node to rebind DNS to an attacker-controlled DNS server, and then make local API requests in the client, including changing the coordination server to an attacker-controlled coordination server. An attacker-controlled coordination server can send malicious URL responses to the client, including pushing executables or installing an SMB share. These allow the attacker to remotely execute code on the node. All Windows clients prior to version v.1.32.3 are affected. If you are running Tailscale on Windows, upgrade to v1.32.3 or later to remediate the issue.

CWE-346 Nov 23, 2022

CVE-2022-3457 9.8 CRITICAL 1 Writeup EPSS 0.00

Ikus-soft Rdiffweb < 2.5.0 - Origin Validation Error

Origin Validation Error in GitHub repository ikus060/rdiffweb prior to 2.5.0a5.

CWE-346 Oct 13, 2022

CVE-2022-41749 7.8 HIGH EPSS 0.00

Trend Micro Apex One - Privilege Escalation

An origin validation error vulnerability in Trend Micro Apex One agents could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

CWE-346 Oct 10, 2022

CVE-2022-41294 6.5 MEDIUM EPSS 0.00

IBM Robotic Process Automation <21.0.5 - SSRF

IBM Robotic Process Automation 21.0.0, 21.0.1, 21.0.2, 21.0.3, and 21.0.4 is vulnerable to cross origin resource sharing using the bot api. IBM X-Force ID: 236807.

CWE-346 Oct 06, 2022

CVE-2022-22637 8.8 HIGH EPSS 0.00

macOS Monterey <12.3 - CSRF

A logic issue was addressed with improved state management. This issue is fixed in macOS Monterey 12.3, Safari 15.4, watchOS 8.5, iOS 15.4 and iPadOS 15.4, tvOS 15.4. A malicious website may cause unexpected cross-origin behavior.

CWE-346 Sep 23, 2022

CVE-2022-40140 5.5 MEDIUM 3 PoCs Analysis EPSS 0.00

Trendmicro Apex One - Origin Validation Error

An origin validation error vulnerability in Trend Micro Apex One and Apex One as a Service could allow a local attacker to cause a denial-of-service on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

CWE-346 Sep 19, 2022

CVE-2022-23764 8.8 HIGH EPSS 0.00

Teruten Webcube < 1.2.0.0 - Origin Validation Error

The vulnerability causing from insufficient verification procedures for downloaded files during WebCube update. Remote attackers can bypass this verification logic to update both digitally signed and unauthorized files, enabling remote code execution.

CWE-346 Aug 17, 2022

CVE-2022-1497 6.5 MEDIUM EPSS 0.00

Google Chrome < 101.0.4951.41 - Origin Validation Error

Inappropriate implementation in Input in Google Chrome prior to 101.0.4951.41 allowed a remote attacker to spoof the contents of cross-origin websites via a crafted HTML page.

CWE-346 Jul 26, 2022

CVE-2022-31151 3.7 LOW EPSS 0.00

undici - Open Redirect

Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site. This was patched in v5.7.1. By default, this vulnerability is not exploitable. Do not enable redirections, i.e. `maxRedirections: 0` (the default).

CWE-346 Jul 21, 2022

CVE-2022-26137 8.8 HIGH EPSS 0.00

Atlassian - CORS Bypass

A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability: Cross-origin resource sharing (CORS) bypass. Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim’s permissions. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4.

CWE-180 Jul 20, 2022

CVE-2022-23763 7.8 HIGH EPSS 0.00

Douzone Neors < 2021.3.10.1 - Origin Validation Error

Origin validation error vulnerability in NeoRS’s ActiveX moudle allows attackers to download and execute arbitrary files. Remote attackers can use this vulerability to encourage users to access crafted web pages, causing damage such as malicious code infections.

CWE-346 Jun 28, 2022

CVE-2022-1747 4.6 MEDIUM EPSS 0.00

Dominionvoting Imagecast X - Origin Validation Error

The authentication mechanism used by voters to activate a voting session on the tested version of Dominion Voting Systems ImageCast X is susceptible to forgery. An attacker could leverage this vulnerability to print an arbitrary number of ballots without authorization.

CWE-346 Jun 24, 2022

CVE-2022-30228 8.8 HIGH EPSS 0.00

Siemens Sicam Gridedge Essential < 2.6.6 - Origin Validation Error

A vulnerability has been identified in SICAM GridEdge (Classic) (All versions < V2.6.6). The affected software does not apply cross-origin resource sharing (CORS) restrictions for critical operations. In case an attacker tricks a legitimate user into accessing a special resource a malicious request could be executed.

CWE-346 Jun 14, 2022

CVE-2022-31024 6.5 MEDIUM EPSS 0.00

NextCloud Collabra <6.0.0, <5.0.4, <4.2.6 - Info Disclosure

richdocuments is the repository for NextCloud Collabra, the app for Nextcloud Office collaboration. Prior to versions 6.0.0, 5.0.4, and 4.2.6, a user could be tricked into working against a remote Office by sending them a federated share. richdocuments versions 6.0.0, 5.0.4 and 4.2.6 contain a fix for this issue. There are currently no known workarounds available.

CWE-284 Jun 02, 2022

CVE-2022-25227 8.8 HIGH EPSS 0.00

Cybelesoft Thinfinity Vnc - Origin Validation Error

Thinfinity VNC v4.0.0.1 contains a Cross-Origin Resource Sharing (CORS) vulnerability which can allow an unprivileged remote attacker, if they can trick a user into browse malicious site, to obtain an 'ID' that can be used to send websocket requests and achieve RCE.

CWE-346 May 20, 2022

CVE-2022-29818 3.9 LOW EPSS 0.00

Jetbrains Intellij Idea < 2022.1 - Origin Validation Error

In JetBrains IntelliJ IDEA before 2022.1 origin checks in the internal web server were flawed

CWE-346 Apr 28, 2022

CVE-2021-32985 7.2 HIGH EPSS 0.00

AVEVA System Platform <2020 R2 P01 - Info Disclosure

AVEVA System Platform versions 2017 through 2020 R2 P01 does not properly verify that the source of data or communication is valid.

CWE-346 Apr 04, 2022

CVE & Exploit Intelligence Database

Investigate

Ecosystems

Reference Indexes

Recent Blog Posts

CVEForge Labs

KEV Gaps