Description

CORS (Cross-Origin Resource Sharing) defines a mechanism to enable client-side cross-origin requests. This application is using CORS in an insecure way.

The web application fails to properly validate the Origin header (check Details section for more information) and returns the header Access-Control-Allow-Credentials: true.

In this configuration any website can issue requests made with user credentials and read the responses to these requests. Trusting arbitrary origins effectively disables the same-origin policy, allowing two-way interaction by third-party web sites.

Remediation

Allow only selected, trusted domains in the Access-Control-Allow-Origin header.

References

CORS Security Considerations

WordPress REST API Handbook FAQ: Why is the REST API not verifying the incoming Origin header?

Related Vulnerabilities

Passive Mixed Content over HTTPS

Flask weak secret key

Memcached Unauthorized Access Vulnerability

Jenkins weak password

XML external entity injection and XML injection

Severity

Medium

Classification

CWE-942 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Tags

Configuration