Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
URL (HTTP Origin) call location spoofing in Szafir SDK Web
Vulnerability Description
Szafir SDK Web is a browser plug-in that can run SzafirHost application which download the necessary files when launched. In Szafir SDK Web it is possible to change the URL (HTTP Origin) of the application call location. An unauthenticated attacker can craft a website that is able to launch SzafirHost application with arbitrary arguments via Szafir SDK Web browser addon. No validation will be performed to check whether the address specified in `document_base_url` parameter is in any way related to the actual address of the calling web application. The URL address specified in `document_base_url` parameter is then shown in the application confirmation prompt. When a victim confirms the execution of the application, it will be called in the context of attacker's website URL and might download additional files and libraries from that website. When victim accepts the application execution for the URL showed in the confirmation prompt with the "remember" option before, the prompt won't be shown and the application will be called in the context of URL provided by the attacker without any interaction. This issue was fixed in version 0.0.17.4.
CVSS Information
N/A
Vulnerability Type
使用不可信的源
Vulnerability Title
Krajowa Izba Rozliczeniowa Szafir SDK Web 安全漏洞
Vulnerability Description
Krajowa Izba Rozliczeniowa Szafir SDK Web是波兰Krajowa Izba Rozliczeniowa公司的一款电子签名与身份认证开发工具包。 Krajowa Izba Rozliczeniowa Szafir SDK Web 0.0.17.4之前版本存在安全漏洞,该漏洞源于未验证document_base_url参数,可能导致未经验证的攻击者通过特制网站启动应用程序并下载任意文件。
CVSS Information
N/A
Vulnerability Type
N/A