Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
CORS configuration is possibly vulnerable
Vulnerability Description
Open Zaak is a modern, open-source data- and services-layer to enable zaakgericht werken, a Dutch approach to case management. In Open Zaak before version 1.3.3 the Cross-Origin-Resource-Sharing policy in Open Zaak is currently wide open - every client is allowed. This allows evil.com to run scripts that perform AJAX calls to known Open Zaak installations, and the browser will not block these. This was intended to only apply to development machines running on localhost/127.0.0.1. Open Zaak 1.3.3 disables CORS by default, while it can be opted-in through environment variables. The vulnerability does not actually seem exploitable because: a) The session cookie has a `Same-Site: Lax` policy which prevents it from being sent along in Cross-Origin requests. b) All pages that give access to (production) data are login-protected c) `Access-Control-Allow-Credentials` is set to `false` d) CSRF checks probably block the remote origin, since they're not explicitly added to the trusted allowlist.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Vulnerability Type
源验证错误
Vulnerability Title
Open Zaak 访问控制错误漏洞
Vulnerability Description
Open Zaak是Open Zaak团队的一个基于Python的数据和服务层应用。该软件可Zaakgericht Werken进行交互。 Open Zaak before version 1.3.3 存在访问控制错误漏洞,该漏洞源于跨域资源共享策略当前是完全开放的-允许每个客户端。 evil.com可以运行对已知的Open Zaak安装执行AJAX调用的脚本,并且浏览器不会阻止这些脚本。
CVSS Information
N/A
Vulnerability Type
N/A