CVE-2023-0957

CRITICAL Year: 2023
CVSS v3 Score
9.6
Critical
Weakness Type
CWE-1385
View all →

Vulnerability Description

An issue was discovered in Gitpod versions prior to release-2022.11.2.16. There is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability that allows attackers to make WebSocket connections to the Gitpod JSONRPC server using a victim’s credentials, because the Origin header is not restricted. This can lead to the extraction of data from workspaces, to a full takeover of the workspace.

Related Vulnerabilities

CVE-2025-24964

CRITICAL
CVSS:9.6(Critical)

Vitest is a testing framework powered by Vite. Affected versions are subject to arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site We...

CWE-13852025

CVE-2024-48849

HIGH
CVSS:9.4(Critical)

Missing Origin Validation in WebSockets vulnerability in FLXEON. Session management was not sufficient to prevent unauthorized HTTPS requests. This issue affects FLXEON: through <= 9.3.4.

CWE-13852024

CVE-2014-125071

CRITICAL
CVSS:9.8(Critical)

A vulnerability was found in lukehutch Gribbit. It has been classified as problematic. Affected is the function messageReceived of the file src/gribbit/request/HttpRequestHandler.java. The manipulatio...

CWE-13852014

CVE-2024-23168

CRITICAL
CVSS:9.8(Critical)

Vulnerability in Xiexe XSOverlay before build 647 allows non-local websites to send the malicious commands to the WebSocket API, resulting in the arbitrary code execution.

CWE-13852024

CVE-2023-26114

CRITICAL
CVSS:9.3(Critical)

Versions of the package code-server before 4.10.1 are vulnerable to Missing Origin Validation in WebSockets handshakes. Exploiting this vulnerability can allow an adversary in specific scenarios to ac...

CWE-13852023

CVE-2023-2848

HIGH
CVSS:8.8(High)

Movim prior to version 0.22 is affected by a Cross-Site WebSocket Hijacking vulnerability. This was the result of a missing header validation.

CWE-13852023