A Cross-Origin Resource Sharing (CORS) vulnerability exists in modelscope/agentscope version v0.0.4. The CORS configuration on the agentscope server does not properly restrict access to only trusted origins, allowing any external domain to make requests to the API. This can lead to unauthorized data access, information disclosure, and potential further exploitation, thereby compromising the integrity and confidentiality of the system.
The AgentScope server does not implement proper CORS policy — the configuration does not restrict access exclusively to trusted domains (CWE-346: Origin Validation Error). As a result, a malicious website visited by a user can send cross-origin requests to the AgentScope API on their behalf. The victim's browser includes authenticating headers or cookies with these requests, allowing the attacker to interact with the API with the permissions of the logged-in user.
An attacker can gain unauthorized access to data processed by the API, lead to disclosure of sensitive information, and potentially conduct further attacks compromising system integrity and confidentiality.
Apply patches available from the vendor according to references. Additionally, it is recommended to manually implement a restrictive CORS policy on the AgentScope server, limiting allowed 'Access-Control-Allow-Origin' headers exclusively to trusted domains.
Modelscope AgentScope version v0.0.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HModelscope Agentscope
APPModelscope0.0.4
Related vulnerabilities
Path traversal umożliwiający usunięcie dowolnych plików w AgentScope
Path traversal w AgentScope umożliwia odczyt i zapis plików JSON
RCE przez niezabezpieczone eval() w Modelscope AgentScope
A directory traversal vulnerability exists in modelscope/agentscope version 0.0.4. An attacker can exploit thi...
An arbitrary file download vulnerability exists in the rpc_agent_client component of modelscope/agentscope ver...