Permissive Cross-domain Policy with Untrusted Domains

CVE-2024-22348

Medium

5.3/10

Summary

IBM DevOps Velocity 5.0.0 and IBM UrbanCode Velocity 4.0.0 through 4.0. 25 uses Cross-Origin Resource Sharing (CORS) which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not being limited to only trusted domains.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: LOW
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: NONE

CWE-942 - Permissive Cross-domain Policy with Untrusted Domains

The software uses a cross-domain policy file that includes domains that should not be trusted.

References

Advisory Timeline

Published Jan 20, 2025

Permissive Cross-domain Policy with Untrusted Domains

CVE-2024-22348

Summary

CWE-942 - Permissive Cross-domain Policy with Untrusted Domains

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS