Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Cross-Origin File Exfiltration via CORS Misconfiguration + Path Traversal in TinaCMS
Vulnerability Description
Tina is a headless content management system. Prior to 2.1.8 , the TinaCMS CLI dev server combines a permissive CORS configuration (Access-Control-Allow-Origin: *) with the path traversal vulnerability (previously reported) to enable a browser-based drive-by attack. A remote attacker can enumerate the filesystem, write arbitrary files, and delete arbitrary files on developer's machines by simply tricking them into visiting a malicious website while tinacms dev is running. This vulnerability is fixed in 2.1.8.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Vulnerability Title
TinaCMS 安全漏洞
Vulnerability Description
TinaCMS是Tina开源的一个用于 Markdown、MDX 和 JSON 的开源无头 CMS。 TinaCMS 2.1.8之前版本存在安全漏洞,该漏洞源于TinaCMS CLI开发服务器配置了宽松的CORS策略,结合路径遍历漏洞,可能导致远程攻击者通过恶意网站枚举、写入和删除开发者机器上的任意文件。
CVSS Information
N/A
Vulnerability Type
N/A