6.5

CVE-2025-55462

EPSS 0.01%
Veröffentlicht 13.01.2026 00:00:00
Zuletzt bearbeitet 05.02.2026 21:10:05
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

A CORS misconfiguration in Eramba Community and Enterprise Editions v3.26.0 allows an attacker-controlled Origin header to be reflected in the Access-Control-Allow-Origin response along with Access-Control-Allow-Credentials: true. This permits malicious third-party websites to perform authenticated cross-origin requests against the Eramba API, including endpoints like /system-api/login and /system-api/user/me. The response includes sensitive user session data (ID, name, email, access groups), which is accessible to the attacker's JavaScript. This flaw enables full session hijack and data exfiltration without user interaction. Eramba versions 3.23.3 and earlier were tested and appear unaffected. The vulnerability is present in default installations, requiring no custom configuration.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Eramba ≫ Eramba Version3.26.0 SwEditioncommunity

Eramba ≫ Eramba Version3.26.0 SwEditionenterprise

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.018

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CWE-942 Permissive Cross-domain Policy with Untrusted Domains

The product uses a cross-domain policy file that includes domains that should not be trusted.

http://eramba.com

Product

https://discussions.eramba.org/t/release-3-28-0/7860

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2025-55462

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-55462

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-55462

EUVD