High

devika

CORS Misconfiguration Leading to Data Leak

A Cross-Origin Resource Sharing (CORS) misconfiguration in the Devika platform allows attackers to steal sensitive information such as logs, browser sessions, and settings containing private API keys. The vulnerability also enables attackers to perform actions on behalf of the user, like deleting projects or sending messages. The affected version is not specified, and there is no mention of a patched version.

Available publicly on Jul 09 2024

8.1

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Credit:

acciobugs
Remediation Steps
  • Ensure that the CORS policy on the Devika platform is correctly configured to only allow requests from trusted origins.
  • Implement additional security measures such as CSRF tokens to protect against unauthorized actions being performed on behalf of users.
  • Regularly audit and update security configurations to prevent similar vulnerabilities.
  • Educate users on the risks of visiting untrusted websites and clicking on suspicious links.
Patch Details
  • Fixed Version: N/A
  • Patch Commit: N/A
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.