Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-13068

Summary
Assigner-TR-CERT
Assigner Org ID-ca940d4e-fea4-4aa2-9a58-591a58b1ce21
Published At-03 Sep, 2025 | 13:12
Updated At-03 Sep, 2025 | 15:43
Rejected At-
Credits

Host Header Injection in Akinsoft's LimonDesk

Origin Validation Error vulnerability in Akinsoft LimonDesk allows Forceful Browsing.This issue affects LimonDesk: from s1.02.14 before v1.02.17.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:TR-CERT
Assigner Org ID:ca940d4e-fea4-4aa2-9a58-591a58b1ce21
Published At:03 Sep, 2025 | 13:12
Updated At:03 Sep, 2025 | 15:43
Rejected At:
▼CVE Numbering Authority (CNA)
Host Header Injection in Akinsoft's LimonDesk

Origin Validation Error vulnerability in Akinsoft LimonDesk allows Forceful Browsing.This issue affects LimonDesk: from s1.02.14 before v1.02.17.

Affected Products
Vendor
AKINSOFT Software EngineeringAkinsoft
Product
LimonDesk
Default Status
unaffected
Versions
Affected
  • From s1.02.14 before v1.02.17 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-346CWE-346 Origin Validation Error
Type: CWE
CWE ID: CWE-346
Description: CWE-346 Origin Validation Error
Metrics
VersionBase scoreBase severityVector
3.17.3HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Version: 3.1
Base score: 7.3
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-87CAPEC-87 Forceful Browsing
CAPEC ID: CAPEC-87
Description: CAPEC-87 Forceful Browsing
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Berat ARSLAN
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.usom.gov.tr/bildirim/tr-25-0206
N/A
Hyperlink: https://www.usom.gov.tr/bildirim/tr-25-0206
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:iletisim@usom.gov.tr
Published At:03 Sep, 2025 | 14:15
Updated At:04 Sep, 2025 | 15:36

Origin Validation Error vulnerability in Akinsoft LimonDesk allows Forceful Browsing.This issue affects LimonDesk: from s1.02.14 before v1.02.17.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.17.3HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Type: Primary
Version: 3.1
Base score: 7.3
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-346Primaryiletisim@usom.gov.tr
CWE ID: CWE-346
Type: Primary
Source: iletisim@usom.gov.tr
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://www.usom.gov.tr/bildirim/tr-25-0206iletisim@usom.gov.tr
N/A
Hyperlink: https://www.usom.gov.tr/bildirim/tr-25-0206
Source: iletisim@usom.gov.tr
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

6Records found
CVE-2024-12973
Matching Score-6
Assigner-TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)
ShareView Details
Matching Score-6
Assigner-TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)
CVSS Score-4.7||MEDIUM
EPSS-0.02% / 6.90%
||
7 Day CHG~0.00%
Published-02 Sep, 2025 | 11:43
Updated-02 Sep, 2025 | 15:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Host Header Injection in Akinsoft's OctoCloud

Origin Validation Error vulnerability in Akinsoft OctoCloud allows HTTP Response Splitting, CAPEC - 87 - Forceful Browsing.This issue affects OctoCloud: from s1.09.01 before v1.11.01.

Action-Not Available
Vendor-AKINSOFT Software Engineering
Product-OctoCloud
CWE ID-CWE-346
Origin Validation Error
CVE-2026-6662
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.02% / 6.56%
||
7 Day CHG~0.00%
Published-20 Apr, 2026 | 17:00
Updated-22 Apr, 2026 | 20:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ericc-ch copilot-api Token Endpoint server.ts cors cross-domain policy

A vulnerability was found in ericc-ch copilot-api up to 0.7.0. The impacted element is the function cors of the file src/server.ts of the component Token Endpoint. Performing a manipulation results in permissive cross-domain policy with untrusted domains. It is possible to initiate the attack remotely. The exploit has been made public and could be used.

Action-Not Available
Vendor-ericc-ch
Product-copilot-api
CWE ID-CWE-346
Origin Validation Error
CWE ID-CWE-942
Permissive Cross-domain Policy with Untrusted Domains
CVE-2020-27969
Matching Score-4
Assigner-Yandex N.V.
ShareView Details
Matching Score-4
Assigner-Yandex N.V.
CVSS Score-7.3||HIGH
EPSS-0.09% / 25.71%
||
7 Day CHG~0.00%
Published-13 Sep, 2021 | 11:44
Updated-04 Aug, 2024 | 16:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Yandex Browser for Android 20.8.4 allows remote attackers to perform SOP bypass and addresss bar spoofing

Action-Not Available
Vendor-yandexn/a
Product-yandex_browserYandex Browser for Android
CWE ID-CWE-346
Origin Validation Error
CVE-2026-43870
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-7.3||HIGH
EPSS-0.02% / 5.72%
||
7 Day CHG~0.00%
Published-05 May, 2026 | 07:45
Updated-06 May, 2026 | 18:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Thrift: Node.js web_server.js multi-vulnerability

Origin Validation Error, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting'), Uncontrolled Resource Consumption vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Action-Not Available
Vendor-The Apache Software Foundation
Product-thriftApache Thrift
CWE ID-CWE-113
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE ID-CWE-346
Origin Validation Error
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2020-14456
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.3||HIGH
EPSS-0.15% / 34.77%
||
7 Day CHG~0.00%
Published-19 Jun, 2020 | 13:12
Updated-04 Aug, 2024 | 12:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Mattermost Desktop App before 4.4.0. The Same Origin Policy is mishandled during access-control decisions for web APIs, aka MMSA-2020-0006.

Action-Not Available
Vendor-n/aMattermost, Inc.
Product-mattermost_desktopn/a
CWE ID-CWE-346
Origin Validation Error
CVE-2025-47909
Matching Score-4
Assigner-Go Project
ShareView Details
Matching Score-4
Assigner-Go Project
CVSS Score-7.3||HIGH
EPSS-0.04% / 11.31%
||
7 Day CHG~0.00%
Published-29 Aug, 2025 | 15:55
Updated-29 Aug, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper validation of TrustedOrigins allows CSRF attacks in github.com/gorilla/csrf

Hosts listed in TrustedOrigins implicitly allow requests from the corresponding HTTP origins, allowing network MitMs to perform CSRF attacks. After the CVE-2025-24358 fix, a network attacker that places a form at http://example.com can't get it to submit to https://example.com because the Origin header is checked with sameOrigin against a synthetic URL. However, if a host is added to TrustedOrigins, both its HTTP and HTTPS origins will be allowed, because the schema of the synthetic URL is ignored and only the host is checked. For example, if an application is hosted on https://example.com and adds example.net to TrustedOrigins, a network attacker can serve a form at http://example.net to perform the attack. Applications should migrate to net/http.CrossOriginProtection, introduced in Go 1.25. If that is not an option, a backport is available as a module at filippo.io/csrf, and a drop-in replacement for the github.com/gorilla/csrf API is available at filippo.io/csrf/gorilla.

Action-Not Available
Vendor-github.com/gorilla/csrf
Product-github.com/gorilla/csrf
CWE ID-CWE-346
Origin Validation Error
Details not found