Описание
In the uncurl_ws_accept function in uncurl.c in uncurl before 0.07, as used in Parsec before 140-3, insufficient Origin header validation (accepting an arbitrary substring match) for WebSocket API requests allows remote attackers to bypass intended access restrictions. In Parsec, this means full control over the victim's computer.
Ссылки
- PatchThird Party Advisory
- Third Party Advisory
- PatchThird Party Advisory
- Third Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 0.07 (исключая)
cpe:2.3:a:uncurl_project:uncurl:*:*:*:*:*:*:*:*
Конфигурация 2Версия до 140-3 (исключая)
cpe:2.3:a:parsecgaming:parsec:*:*:*:*:*:*:*:*
EPSS
Процентиль: 63%
0.00437
Низкий
8.8 High
CVSS3
9.3 Critical
CVSS2
Дефекты
CWE-352
Связанные уязвимости
CVSS3: 8.8
github
больше 3 лет назад
In the uncurl_ws_accept function in uncurl.c in uncurl before 0.07, as used in Parsec before 140-3, insufficient Origin header validation (accepting an arbitrary substring match) for WebSocket API requests allows remote attackers to bypass intended access restrictions. In Parsec, this means full control over the victim's computer.
EPSS
Процентиль: 63%
0.00437
Низкий
8.8 High
CVSS3
9.3 Critical
CVSS2
Дефекты
CWE-352