CVE-2025-55462

Name of the Vulnerable Software and Affected Versions Eramba Community and Enterprise Editions versions prior to 3.26.0

Description A Cross-Origin Resource Sharing (CORS) misconfiguration exists that allows an attacker-controlled Origin header to be reflected in the Access-Control-Allow-Origin response, along with Access-Control-Allow-Credentials: true. This enables malicious third-party websites to perform authenticated cross-origin requests against the Eramba API. Affected API endpoints include '/system-api/login' and '/system-api/user/me'. The response contains sensitive user session data, including ID, name, email, and access groups, which can be accessed by attacker JavaScript. This allows for full session hijack and data exfiltration without user interaction.

Recommendations Update to a version newer than 3.26.0.