Описание
A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/setup endpoint. The endpoint implements an insecure CORS policy that reflects any Origin header and enables Access-Control-Allow-Credentials: true, permitting arbitrary external domains to make authenticated requests.
Уязвимые конфигурации
Конфигурация 1
cpe:2.3:a:langgenius:dify:1.9.1:*:*:*:*:node.js:*:*
EPSS
Процентиль: 4%
0.00019
Низкий
9.1 Critical
CVSS3
Дефекты
NVD-CWE-noinfo
CWE-346
Связанные уязвимости
CVSS3: 9.1
github
около 2 месяцев назад
A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/setup endpoint. The endpoint implements an insecure CORS policy that reflects any Origin header and enables Access-Control-Allow-Credentials: true, permitting arbitrary external domains to make authenticated requests.
EPSS
Процентиль: 4%
0.00019
Низкий
9.1 Critical
CVSS3
Дефекты
NVD-CWE-noinfo
CWE-346