Glances Vulnerable to Cross-Origin System Information Disclosure via XML-RPC Server CORS Wildcard

Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.3, the Glances XML-RPC server (activated with glances -s or glances --server) sends Access-Control-Allow-Origin: * on every HTTP response. Because the XML-RPC handler does not validate the Content-Type header, an attacker-controlled webpage can issue a CORS "simple request" (POST with Content-Type: text/plain) containing a valid XML-RPC payload. The browser sends the request without a preflight check, the server processes the XML body and returns the full system monitoring dataset, and the wildcard CORS header lets the attacker's JavaScript read the response. The result is complete exfiltration of hostname, OS version, IP addresses, CPU/memory/disk/network stats, and the full process list including command lines (which often contain tokens, passwords, or internal paths). This issue has been patched in version 4.5.3.

N/A

过度许可的跨域白名单

glances 安全漏洞

glances是Nicolas Hennion个人开发者的一款系统监测工具。 Glances 4.5.3之前版本存在安全漏洞，该漏洞源于XML-RPC服务器缺少Content-Type验证和CORS配置不当，可能导致数据泄露。

N/A

N/A