Exploit Intelligence Platform

CVE-2018-6654 8.8 HIGH EPSS 0.00

Grammarly - Origin Validation Error

The Grammarly extension before 2018-02-02 for Chrome allows remote attackers to discover authentication tokens via an 'action: "user"' request to iframe.gr_-ifr, because the exposure of these tokens is not restricted to any specific web site.

CWE-346 Feb 06, 2018

CVE-2017-18016 5.3 MEDIUM 1 PoC Analysis EPSS 0.02

Parity Browser - Origin Validation Error

Parity Browser 1.6.10 and earlier allows remote attackers to bypass the Same Origin Policy and obtain sensitive information by requesting other websites via the Parity web proxy engine (reusing the current website's token, which is not bound to an origin).

CWE-346 Jan 11, 2018

CVE-2017-1000455 5.5 MEDIUM EPSS 0.00

GNU Guixsd < 0.13.0 - Origin Validation Error

GuixSD prior to Git commit 5e66574a128937e7f2fcf146d146225703ccfd5d used POSIX hard links incorrectly, leading the creation of setuid executables in "the store", violating a fundamental security assumption of GNU Guix.

CWE-346 Jan 02, 2018

CVE-2017-7561 7.5 HIGH 1 PoC Analysis EPSS 0.01

Red Hat JBoss EAP <4.0.0.Beta1 - SSRF

Red Hat JBoss EAP version 3.0.7 through before 4.0.0.Beta1 is vulnerable to a server-side cache poisoning or CORS requests in the JAX-RS component resulting in a moderate impact.

CWE-346 Sep 13, 2017

CVE-2017-0902 8.1 HIGH 1 Writeup EPSS 0.05

RubyGems <2.6.12 - SSRF

RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls.

CWE-346 Aug 31, 2017

CVE-2017-8650 5.4 MEDIUM EPSS 0.01

Microsoft Edge - Origin Validation Error

Microsoft Edge in Microsoft Windows 10 1703 allows an attacker to exploit a security feature bypass due to Microsoft Edge not properly enforcing same-origin policies, aka "Microsoft Edge Security Feature Bypass Vulnerability".

CWE-346 Aug 08, 2017

CVE-2017-8530 5.4 MEDIUM EPSS 0.01

Microsoft Edge - Origin Validation Error

Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an attacker to trick a user into loading a page with malicious content when Microsoft Edge does not properly enforce same-origin policies, aka "Microsoft Edge Security Feature Bypass Vulnerability". This CVE ID is unique from CVE-2017-8523 and CVE-2017-8555.

CWE-346 Jun 15, 2017

CVE-2017-8523 4.3 MEDIUM EPSS 0.01

Microsoft Edge - Origin Validation Error

Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an attacker to trick a user into loading a page with malicious content when Microsoft Edge fails to correctly apply Same Origin Policy for HTML elements present in other browser windows, aka "Microsoft Edge Security Feature Bypass Vulnerability". This CVE ID is unique from CVE-2017-8530 and CVE-2017-8555.

CWE-346 Jun 15, 2017

CVE-2017-7667 7.5 HIGH EPSS 0.00

Apache NiFi <1.3.0 - Info Disclosure

Apache NiFi before 0.7.4 and 1.x before 1.3.0 need to establish the response header telling browsers to only allow framing with the same origin.

CWE-346 Jun 12, 2017

CVE-2017-5646 6.8 MEDIUM EPSS 0.00

Apache Knox < 0.12.0 - Origin Validation Error

For versions of Apache Knox from 0.2.0 to 0.11.0 - an authenticated user may use a specially crafted URL to impersonate another user while accessing WebHDFS through Apache Knox. This may result in escalated privileges and unauthorized data access. While this activity is audit logged and can be easily associated with the authenticated user, this is still a serious security issue. All users are recommended to upgrade to the Apache Knox 0.12.0 release.

CWE-346 May 26, 2017

CVE-2017-8793 8.8 HIGH EPSS 0.00

Accellion File Transfer Appliance < 9_12_40 - Origin Validation Error

An issue was discovered on Accellion FTA devices before FTA_9_12_180. By sending a POST request to home/seos/courier/web/wmProgressstat.html.php with an attacker domain in the acallow parameter, the device will respond with an Access-Control-Allow-Origin header allowing the attacker to have site access with a bypass of the Same Origin Policy.

CWE-346 May 05, 2017

CVE-2017-6519 9.1 CRITICAL EPSS 0.01

Avahi < 0.6.32 - Origin Validation Error

avahi-daemon in Avahi through 0.6.32 and 0.7 inadvertently responds to IPv6 unicast queries with source addresses that are not on-link, which allows remote attackers to cause a denial of service (traffic amplification) and may cause information leakage by obtaining potentially sensitive information from the responding device via port-5353 UDP packets. NOTE: this may overlap CVE-2015-2809.

CWE-346 May 01, 2017

CVE-2016-5168 7.5 HIGH EPSS 0.10

Google Chrome < 50.0.2661.91 - Origin Validation Error

Skia, as used in Google Chrome before 50.0.2661.94, allows remote attackers to bypass the Same Origin Policy and obtain sensitive information.

CWE-346 Apr 21, 2017

CVE-2016-8358 8.5 HIGH EPSS 0.00

Smiths-Medical CADD-Solis Medication Safety Software - Info Disclosure

An issue was discovered in Smiths-Medical CADD-Solis Medication Safety Software, Version 1.0; 2.0; 3.0; and 3.1. The affected software does not verify the identities at communication endpoints, which may allow a man-in-the-middle attacker to gain access to the communication channel between endpoints.

CWE-346 Feb 13, 2017

CVE-2017-5858 5.9 MEDIUM 1 Writeup EPSS 0.00

Conversejs Converse.js < 1.0.7 - Origin Validation Error

An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for Converse.js (0.8.0 - 1.0.6, 2.0.0 - 2.0.4).

CWE-346 Feb 09, 2017

CVE-2017-5606 5.9 MEDIUM EPSS 0.00

Xabber < 1.0.30 - Origin Validation Error

An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for Xabber (only if manually enabled: 1.0.30, 1.0.30 VIP, beta 1.0.3 - 1.0.74; Android).

CWE-346 Feb 09, 2017

CVE-2017-5605 5.9 MEDIUM EPSS 0.00

Movim - Origin Validation Error

An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for Movim 0.8 - 0.10.

CWE-346 Feb 09, 2017

CVE-2017-5604 5.9 MEDIUM EPSS 0.00

Mcabber - Origin Validation Error

An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for mcabber 1.0.0 - 1.0.4.

CWE-346 Feb 09, 2017

CVE-2017-5603 5.9 MEDIUM 1 Writeup EPSS 0.00

Jitsi - Origin Validation Error

An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for Jitsi 2.5.5061 - 2.9.5544.

CWE-346 Feb 09, 2017

CVE-2017-5602 5.9 MEDIUM 1 Writeup EPSS 0.00

Jappix - Origin Validation Error

An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for jappix 1.0.0 to 1.1.6.

CWE-346 Feb 09, 2017

CVE & Exploit Intelligence Database

Investigate

Ecosystems

Reference Indexes

Recent Blog Posts

CVEForge Labs

KEV Gaps