CVE-2026-57957
⚪ Do wiadomości
Błąd konfiguracji CORS w Papermark umożliwia zdalnym atakującym przesyłanie plików do dataroomów ofiar.
CVSS
4.7
EPSS
0.0%
Exploit
none
Vendor
Opis źródłowy (NVD)
Papermark through 0.22.0 contains a cross-origin resource sharing (CORS) misconfiguration vulnerability that allows unauthenticated remote attackers to perform credentialed cross-origin requests by exploiting the TUS-based viewer upload endpoint reflecting arbitrary request Origins with Access-Control-Allow-Credentials set to true. Attackers can lure authenticated victims to malicious pages that silently issue credentialed cross-origin requests to upload arbitrary files into victim datarooms and read credentialed responses.
brak
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 4.7 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 0.0% |
| Opublikowano (NVD) | 2026-06-29 18:16:41 UTC |
| Ostatnia modyfikacja (NVD) | 2026-06-29 19:15:23 UTC |
Referencje
- https://github.com/AstoKr/papermark/pull/1 (disclosure@vulncheck.com)
- https://github.com/papermark/papermark/issues/2178 (disclosure@vulncheck.com)
- https://www.vulncheck.com/advisories/papermark-cors-misconfiguration-in-viewer-upload-endpoint (disclosure@vulncheck.com)