A CORS misconfiguration in Nginx Proxy Manager v2.12.3 allows unauthorized domains to access sensitive data, particularly JWT tokens, due to improper validation of the Origin header. This misconfiguration enables attackers to intercept tokens using a simple browser script and exfiltrate them to a remote attacker-controlled server, potentially leading to unauthorized actions within the application.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NJc21 nginx Proxy Manager
APPJc212.12.3
Related vulnerabilities
Command injection w Nginx Proxy Manager — RCE przez funkcję Let's Encrypt
An issue found in NginxProxyManager v.2.9.19 allows an attacker to execute arbitrary code via a lua script to ...
jc21 NGINX Proxy Manager before 2.11.3 allows backend/internal/certificate.js OS command injection by an authe...
jc21 NGINX Proxy Manager through 2.9.19 allows OS command injection. When creating an access list, the backend...
A Command injection vulnerability in requestLetsEncryptSslWithDnsChallenge in NginxProxyManager 2.11.3 allows ...