CVE-2018-6651

Published: Feb 5, 2018Modified: Jun 17, 2026

8.8

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

In the uncurl_ws_accept function in uncurl.c in uncurl before 0.07, as used in Parsec before 140-3, insufficient Origin header validation (accepting an arbitrary substring match) for WebSocket API requests allows remote attackers to bypass intended access restrictions. In Parsec, this means full control over the victim's computer.

Affected (2)

Products: Uncurl Project: Uncurl · Parsecgaming: Parsec

1 product

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Uncurl Project Uncurl	Before 0.07

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Parsecgaming Parsec	Before 140-3

Related CWEs

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (6)

https://gist.github.com/Zenexer/ac7601c0e367d876353137e5099b18a7

Source: cve@mitre.org

https://github.com/chrisd1100/uncurl/commit/448cd13e7b18c83855d706c564341ddd1e38e769

Source: cve@mitre.org

PatchThird Party Advisory

https://github.com/chrisd1100/uncurl/releases/tag/0.07

Source: cve@mitre.org

Third Party Advisory

https://gist.github.com/Zenexer/ac7601c0e367d876353137e5099b18a7

Source: af854a3a-2127-422b-91ae-364da2661108

https://github.com/chrisd1100/uncurl/commit/448cd13e7b18c83855d706c564341ddd1e38e769

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/chrisd1100/uncurl/releases/tag/0.07

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.