CVE-2025-41010
BaseFortify
Publication date: 2025-10-02
Last updated on: 2025-10-02
Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hiberus | sintra | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-942 | The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an incorrect Cross-Origin Resource Sharing (CORS) configuration in Hiberus Sintra. CORS is a security feature that controls how browsers make requests across different domains. The issue arises when the server improperly handles the 'Origin' header and allows cross-domain requests with credentials enabled, which can let an attacker perform privileged actions or access confidential information.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker to perform privileged actions on behalf of a user and access confidential information by bypassing normal cross-origin restrictions, potentially leading to unauthorized data access or manipulation.