Cross-Domain Misconfiguration
- Risk:
Medium
- Type:
- Passive
- Summary
Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server
- Solution
Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance). Configure the "Access-Control-Allow-Origin" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.
- Other info
- The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.
- References
https://vulncat.fortify.com/en/detail?id=desc.config.dotnet.html5_overly_permissive_cors_policy
Hackers Exploit WordPress Sites to Power Next-Gen ClickFix Phishing Attacks
Hackers Exploit Milesight Routers to Send Phishing SMS to European Users
Severe Framelink Figma MCP Vulnerability Lets Hackers Execute Code Remotely
Microsoft: Hackers target universities in “payroll pirate” attacks
Co-op says it lost $107 million after Scattered Spider attack
ChatGPT Pulse is coming to the web, but no word on free or Plus roll out
LockBit, Qilin, and DragonForce Join Forces to Dominate the Ransomware Ecosystem
New FileFix attack uses cache smuggling to evade security software
SonicWall: Firewall configs stolen for all cloud backup customers
FBI takes down BreachForums portal used for Salesforce extortion
CVE-2021-43226 Microsoft Windows Privilege Escalation Vulnerability
CVE-2010-3765 Mozilla Multiple Products Remote Code Execution Vulnerability
CVE-2011-3402 Microsoft Windows Remote Code Execution Vulnerability
CVE-2013-3918 Microsoft Windows Out-of-Bounds Write Vulnerability
CVE-2010-3962 Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability
CVE-2021-22555 Linux Kernel Heap Out-of-Bounds Write Vulnerability
CVE-2023-50224 TP-Link TL-WR841N Authentication Bypass by Spoofing Vulnerability
CVE-2024-53104 Linux Kernel Out-of-Bounds Write Vulnerability
Free online web security scanner