How severe is CVE-2023-49803?

This vulnerability has a severity rating of HIGH with a CVSS score of 7.5 out of 10.

What type of vulnerability is CVE-2023-49803?

This is classified as CWE-346, which is a common weakness in software security.

CVE-2023-49803 - HIGH Severity | CVSS 7.5

Vulnerability Description

@koa/cors npm provides Cross-Origin Resource Sharing (CORS) for koa, a web framework for Node.js. Prior to version 5.0.0, the middleware operates in a way that if an allowed origin is not provided, it will return an `Access-Control-Allow-Origin` header with the value of the origin from the request. This behavior completely disables one of the most crucial elements of browsers - the Same Origin Policy (SOP), this could cause a very serious security threat to the users of this middleware. If such behavior is expected, for instance, when middleware is used exclusively for prototypes and not for production applications, it should be heavily emphasized in the documentation along with an indication of the risks associated with such behavior, as many users may not be aware of it. Version 5.0.0 fixes this vulnerability.

Related Vulnerabilities

CVE-2001-1452

HIGH

CVSS:7.5(High)

By default, DNS servers on Windows NT 4.0 and Windows 2000 Server cache glue records received from non-delegated name servers, which allows remote attackers to poison the DNS cache via spoofed DNS res...

CWE-3462001

CVE-2005-0877

HIGH

CVSS:7.5(High)

Dnsmasq before 2.21 allows remote attackers to poison the DNS cache via answers to queries that were not made by Dnsmasq.

CWE-3462005

CVE-2014-1487

HIGH

CVSS:7.5(High)

The Web workers implementation in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 allows remote attackers to bypass the Same Origin Policy...

CWE-3462014

CVE-2016-5168

HIGH

CVSS:7.5(High)

Skia, as used in Google Chrome before 50.0.2661.94, allows remote attackers to bypass the Same Origin Policy and obtain sensitive information.

CWE-3462016

CVE-2016-9902

HIGH

CVSS:7.5(High)

The Pocket toolbar button, once activated, listens for events fired from it's own pages but does not verify the origin of incoming events. This allows content from other origins to fire events and inj...

CWE-3462016

CVE-2017-7561

HIGH

CVSS:7.5(High)

Red Hat JBoss EAP version 3.0.7 through before 4.0.0.Beta1 is vulnerable to a server-side cache poisoning or CORS requests in the JAX-RS component resulting in a moderate impact.

CWE-3462017