<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Ericc-Ch - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/ericc-ch/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/ericc-ch/feed.xml" rel="self" type="application/rss+xml"/><item><title>ericc-ch copilot-api Permissive Cross-Domain Policy Vulnerability (CVE-2026-6662)</title><link>https://feed.craftedsignal.io/briefs/2024-01-02-copilot-api-cors/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-02-copilot-api-cors/</guid><description>CVE-2026-6662 is a vulnerability in ericc-ch copilot-api up to 0.7.0, specifically in the cors function of src/server.ts, leading to a permissive cross-domain policy that can be remotely exploited for cross-domain attacks.</description><content:encoded><![CDATA[<p>A vulnerability, identified as CVE-2026-6662, affects the ericc-ch copilot-api up to version 0.7.0. The weakness lies within the <code>cors</code> function of the <code>src/server.ts</code> file, specifically in the Token Endpoint component.  Successful exploitation of this vulnerability leads to a permissive cross-domain policy that includes untrusted domains. This flaw allows for remote exploitation, posing a risk to systems utilizing the vulnerable copilot-api versions. The exploit is publicly available, increasing the likelihood of malicious actors leveraging it. This vulnerability could allow attackers to perform actions on behalf of legitimate users.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker identifies a server running a vulnerable version (&lt;=0.7.0) of ericc-ch copilot-api.</li>
<li>The attacker crafts a malicious web page designed to exploit the permissive CORS policy.</li>
<li>The attacker hosts the malicious web page on a server they control.</li>
<li>The attacker lures a victim user to visit the malicious web page (e.g., via phishing or drive-by download).</li>
<li>The victim's browser loads the malicious web page, which contains JavaScript code that interacts with the vulnerable copilot-api endpoint.</li>
<li>Due to the permissive CORS policy, the attacker's JavaScript code is allowed to make cross-origin requests to the copilot-api endpoint, bypassing standard browser security restrictions.</li>
<li>The attacker's script leverages the CORS vulnerability to impersonate the victim and performs unauthorized actions. This can include gaining unauthorized access or exfiltrating sensitive data.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-6662 allows attackers to bypass cross-origin restrictions, potentially leading to unauthorized access to sensitive data or the ability to perform actions on behalf of legitimate users. The permissive CORS policy weakens the security posture of applications relying on the vulnerable copilot-api, increasing the risk of cross-site scripting (XSS) attacks and other malicious activities.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade ericc-ch copilot-api to a version greater than 0.7.0 to patch CVE-2026-6662.</li>
<li>Monitor web server logs for suspicious cross-origin requests targeting the copilot-api endpoint to detect potential exploitation attempts. Use the rule &quot;Detect CVE-2026-6662 Exploitation Attempt&quot; to identify requests with unexpected origins.</li>
<li>Implement strict CORS policies to limit cross-origin access only to trusted domains, mitigating the impact of this vulnerability even in older versions.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>CORS</category><category>Cross-Site Scripting</category><category>API Vulnerability</category></item></channel></rss>