exploitDog

CVE-2024-8026

Опубликовано: 20 мар. 2025

Источник: nvd

CVSS3: 8.1

CVSS3: 8.1

EPSS Низкий

Описание

A Cross-Site Request Forgery (CSRF) vulnerability exists in the backend API of netease-youdao/qanything, as of commit d9ab8bc. The backend server has overly permissive CORS headers, allowing all cross-origin calls. This vulnerability affects all backend endpoints, enabling actions such as creating, uploading, listing, deleting files, and managing knowledge bases.

Ссылки

https://huntr.com/bounties/e57f1e32-0fe5-4997-926c-587461aa6274
Exploit
Third Party Advisory
https://huntr.com/bounties/e57f1e32-0fe5-4997-926c-587461aa6274
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:qanything:qanything:*:*:*:*:*:*:*:*

Версия до 2024-06-24 (включая)

EPSS

Процентиль: 11%

0.00039

Низкий

8.1 High

CVSS3

8.1 High

CVSS3

Дефекты

CWE-352

Связанные уязвимости

GHSA-m62f-m76v-gfwr

CVSS3: 8.1

github

11 месяцев назад

A Cross-Site Request Forgery (CSRF) vulnerability exists in the backend API of netease-youdao/qanything, as of commit d9ab8bc. The backend server has overly permissive CORS headers, allowing all cross-origin calls. This vulnerability affects all backend endpoints, enabling actions such as creating, uploading, listing, deleting files, and managing knowledge bases.

EPSS

Процентиль: 11%

0.00039

Низкий

8.1 High

CVSS3

8.1 High

CVSS3

Дефекты

CWE-352