# Titles: database.refugee-integration.bg - CORS-AOT vulnerability # Author: nu11secur1ty # Date: 09/12/25 # Vendor: https://database.refugee-integration.bg/db2/ # Software: https://database.refugee-integration.bg/db2/ # Reference: https://portswigger.net/web-security/cors ## Description: An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on other domains can perform two-way interaction with the domain that publishes the policy. The policy is fine-grained and can apply access controls per-request based on the URL and other features of the request. Trusting arbitrary origins effectively disables the same-origin policy, allowing two-way interaction by third-party web sites. Unless the response consists only of unprotected public content, this policy is likely to present a security risk. If the site specifies the header Access-Control-Allow-Credentials: true, third-party sites may be able to carry out privileged actions and retrieve sensitive information. Even if it does not, attackers may be able to bypass any IP-based access controls by proxying through users' browsers. ## Issue detail The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request that allows access from any domain. The application allowed access from the requested origin `https://qleuyclfkcyu.com` STATUS: HIGH Vulnerability [+]Payload: ``` GET /db2/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fdatabase.refugee-integration.bg%2Fdb2%2F HTTP/2 Host: database.refugee-integration.bg Cache-Control: max-age=0 Sec-Ch-Ua: "Chromium";v="139", "Not;A=Brand";v="24", "Google Chrome";v="139" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Connection: close Upgrade-Insecure-Requests: 1 Origin: https://imkazocptvmm.com ``` [+]Response: ``` HTTP/2 200 OK X-Robots-Tag: noindex Link: <https://database.refugee-integration.bg/db2/wp-json/>; rel="https://api.w.org/" X-Content-Type-Options: nosniff Access-Control-Expose-Headers: X-WP-Total, X-WP-TotalPages, Link Access-Control-Allow-Headers: Authorization, X-WP-Nonce, Content-Disposition, Content-MD5, Content-Type Allow: GET Access-Control-Allow-Origin: https://imkazocptvmm.com Access-Control-Allow-Methods: OPTIONS, GET, POST, PUT, PATCH, DELETE Access-Control-Allow-Credentials: true Vary: Origin Content-Type: application/json; charset=UTF-8 Date: Thu, 11 Sep 2025 13:08:09 GMT Server: Apache {"version":"1.0","provider_name":"","provider_url":"https:\/\/database.refugee-integration.bg\/db2","author_name":"refuintegration","author_url":"https:\/\/database.refugee-integration.bg\/db2\/author\/refuintegration\/","title":"DATABASE DASHBOARD","type":"rich","width":600,"height":338,"html":"<blockquote class=\"wp-embedded-content\" data-secret=\"9SbiIDIhP4\"><a href=\"https:\/\/database.refugee-integration.bg\/db2\/\">DATABASE DASHBOARD<\/a><\/blockquote><iframe sandbox=\"allow-scripts\" security=\"restricted\" src=\"https:\/\/database.refugee-integration.bg\/db2\/embed\/#?secret=9SbiIDIhP4\" width=\"600\" height=\"338\" title=\"&#8220;DATABASE DASHBOARD&#8221; &#8212; \" data-secret=\"9SbiIDIhP4\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\" class=\"wp-embedded-content\"><\/iframe><script>\n\/*! This file is auto-generated *\/\n!function(d,l){\"use strict\";l.querySelector&&d.addEventListener&&\"undefined\"!=typeof URL&&(d.wp=d.wp||{},d.wp.receiveEmbedMessage||(d.wp.receiveEmbedMessage=function(e){var t=e.data;if((t||t.secret||t.message||t.value)&&!\/[^a-zA-Z0-9]\/.test(t.secret)){for(var s,r,n,a=l.querySelectorAll('iframe[data-secret=\"'+t.secret+'\"]'),o=l.querySelectorAll('blockquote[data-secret=\"'+t.secret+'\"]'),c=new RegExp(\"^https?:$\",\"i\"),i=0;i<o.length;i++)o[i].style.display=\"none\";for(i=0;i<a.length;i++)s=a[i],e.source===s.contentWindow&&(s.removeAttribute(\"style\"),\"height\"===t.message?(1e3<(r=parseInt(t.value,10))?r=1e3:~~r<200&&(r=200),s.height=r):\"link\"===t.message&&(r=new URL(s.getAttribute(\"src\")),n=new URL(t.value),c.test(n.protocol))&&n.host===r.host&&l.activeElement===s&&(d.top.location.href=t.value))}},d.addEventListener(\"message\",d.wp.receiveEmbedMessage,!1),l.addEventListener(\"DOMContentLoaded\",function(){for(var e,t,s=l.querySelectorAll(\"iframe.wp-embedded-content\"),r=0;r<s.length;r++)(t=(e=s[r]).getAttribute(\"data-secret\"))||(t=Math.random().toString(36).substring(2,12),e.src+=\"#?secret=\"+t,e.setAttribute(\"data-secret\",t)),e.contentWindow.postMessage({message:\"ready\",secret:t},\"*\")},!1)))}(window,document);\n<\/script>\n"} ``` [+]Exploit: ``` NOT PRESENT, FOR SECURITY REASONS! ``` # Video Reproduce: Only with payment, but the exploit code is not showing there: for security reasons - only PoC: [href](https://www.patreon.com/posts/database-refugee-138722386) # Time spent: 00:15:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>