{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/copilot-api/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-6662"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["copilot-api"],"_cs_severities":["medium"],"_cs_tags":["CORS","Cross-Site Scripting","API Vulnerability"],"_cs_type":"advisory","_cs_vendors":["ericc-ch"],"content_html":"\u003cp\u003eA vulnerability, identified as CVE-2026-6662, affects the ericc-ch copilot-api up to version 0.7.0. The weakness lies within the \u003ccode\u003ecors\u003c/code\u003e function of the \u003ccode\u003esrc/server.ts\u003c/code\u003e file, specifically in the Token Endpoint component.  Successful exploitation of this vulnerability leads to a permissive cross-domain policy that includes untrusted domains. This flaw allows for remote exploitation, posing a risk to systems utilizing the vulnerable copilot-api versions. The exploit is publicly available, increasing the likelihood of malicious actors leveraging it. This vulnerability could allow attackers to perform actions on behalf of legitimate users.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a server running a vulnerable version (\u0026lt;=0.7.0) of ericc-ch copilot-api.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious web page designed to exploit the permissive CORS policy.\u003c/li\u003e\n\u003cli\u003eThe attacker hosts the malicious web page on a server they control.\u003c/li\u003e\n\u003cli\u003eThe attacker lures a victim user to visit the malicious web page (e.g., via phishing or drive-by download).\u003c/li\u003e\n\u003cli\u003eThe victim's browser loads the malicious web page, which contains JavaScript code that interacts with the vulnerable copilot-api endpoint.\u003c/li\u003e\n\u003cli\u003eDue to the permissive CORS policy, the attacker's JavaScript code is allowed to make cross-origin requests to the copilot-api endpoint, bypassing standard browser security restrictions.\u003c/li\u003e\n\u003cli\u003eThe attacker's script leverages the CORS vulnerability to impersonate the victim and performs unauthorized actions. This can include gaining unauthorized access or exfiltrating sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6662 allows attackers to bypass cross-origin restrictions, potentially leading to unauthorized access to sensitive data or the ability to perform actions on behalf of legitimate users. The permissive CORS policy weakens the security posture of applications relying on the vulnerable copilot-api, increasing the risk of cross-site scripting (XSS) attacks and other malicious activities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade ericc-ch copilot-api to a version greater than 0.7.0 to patch CVE-2026-6662.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious cross-origin requests targeting the copilot-api endpoint to detect potential exploitation attempts. Use the rule \u0026quot;Detect CVE-2026-6662 Exploitation Attempt\u0026quot; to identify requests with unexpected origins.\u003c/li\u003e\n\u003cli\u003eImplement strict CORS policies to limit cross-origin access only to trusted domains, mitigating the impact of this vulnerability even in older versions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-02-copilot-api-cors/","summary":"CVE-2026-6662 is a vulnerability in ericc-ch copilot-api up to 0.7.0, specifically in the cors function of src/server.ts, leading to a permissive cross-domain policy that can be remotely exploited for cross-domain attacks.","title":"ericc-ch copilot-api Permissive Cross-Domain Policy Vulnerability (CVE-2026-6662)","url":"https://feed.craftedsignal.io/briefs/2024-01-02-copilot-api-cors/"}],"language":"en","title":"CraftedSignal Threat Feed - Copilot-Api","version":"https://jsonfeed.org/version/1.1"}