CVE-2018-6651

HIGH

uncurl < 0.07 - Cross-Site Request Forgery via Origin Header Substring Match

Title source: llm
STIX 2.1

Description

In the uncurl_ws_accept function in uncurl.c in uncurl before 0.07, as used in Parsec before 140-3, insufficient Origin header validation (accepting an arbitrary substring match) for WebSocket API requests allows remote attackers to bypass intended access restrictions. In Parsec, this means full control over the victim's computer.

References (3)

Core 3
Core References
Third Party Advisory x_refsource_confirm
https://github.com/chrisd1100/uncurl/releases/tag/0.07

Scores

CVSS v3 8.8
EPSS 0.0216
EPSS Percentile 80.0%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-352
Status published
Products (2)
parsecgaming/parsec < 140-3
uncurl_project/uncurl < 0.07
Published Feb 05, 2018
Tracked Since Feb 18, 2026