CORS Misconfiguration
- Risk:
Medium
- Type:
- Active
- CWE:
- CWE-942
- Summary
This CORS misconfiguration could allow an attacker to perform AJAX queries to the vulnerable website from a malicious page loaded by the victim’s user agent.
In order to perform authenticated AJAX queries, the server must specify the header “Access-Control-Allow-Credentials: true” and the “Access-Control-Allow-Origin” header must be set to null or the malicious page’s domain. Even if this misconfiguration doesn’t allow authenticated AJAX requests, unauthenticated sensitive content can still be accessed (e.g intranet websites).
A malicious page can belong to a malicious website but also a trusted website with flaws (e.g XSS, support of HTTP without TLS allowing code injection through MITM, etc).
- Solution
If a web resource contains sensitive information, the origin should be properly specified in the Access-Control-Allow-Origin header. Only trusted websites needing this resource should be specified in this header, with the most secured protocol supported.
Opera wants you to pay $19.90 per month for its new AI browser
Detour Dog Caught Running DNS-Powered Malware Factory for Strela Stealer
Signal adds new cryptographic defense against quantum attacks
Rhadamanthys Stealer Evolves: Adds Device Fingerprinting, PNG Steganography Payloads
Renault and Dacia UK warn of data breach impacting customers
ShinyHunters launches Salesforce data leak site to extort 39 victims
CommetJacking attack tricks Comet browser into stealing emails
Oracle links Clop extortion attacks to July 2025 vulnerabilities
Researchers Warn of Self-Spreading WhatsApp Malware Named SORVEPOTEL
CVE-2025-4008 Smartbedded Meteobridge Command Injection Vulnerability
CVE-2025-21043 Samsung Mobile Devices Out-of-Bounds Write Vulnerability
CVE-2015-7755 Juniper ScreenOS Improper Authentication Vulnerability
CVE-2017-1000353 Jenkins Remote Code Execution Vulnerability
CVE-2021-21311 Adminer Server-Side Request Forgery Vulnerability
CVE-2025-10035 Fortra GoAnywhere MFT Deserialization of Untrusted Data Vulnerability
CVE-2025-59689 Libraesva Email Security Gateway Command Injection Vulnerability
CVE-2025-32463 Sudo Inclusion of Functionality from Untrusted Control Sphere Vulnerability
InformationalInformation Disclosure - Suspicious Comments
InformationalRe-examine Cache-control Directives
Free online web security scanner