CVE-2020-26527

Name of the Vulnerable Software and Affected Versions Damstra Smart Asset version 2020.7

Description An issue was discovered in the API/api/Version endpoint, where cross-origin resource sharing trusts random origins by accepting the arbitrary 'Origin' header, such as Origin: example.com, and responding with a 200 OK status and a wildcard 'Access-Control-Allow-Origin: *' header.

Recommendations For Damstra Smart Asset version 2020.7, consider restricting access to the API/api/Version endpoint to minimize the risk of exploitation. As a temporary workaround, restrict the Origin header to only trusted domains until a patch is available.