CWE-942β€”Permissive Cross-domain Security Policy with Untrusted Domains

PUBLISHEDweakness record
released 2014-06-23 Β· last modified 2025-12-11

Metadata

CWE ID:
CWE-942
Abstraction:
Variant
Structure:
Simple
Status:
Incomplete
Release Date:
2014-06-23
Latest Modification Date:
2025-12-11

Weakness Name

Permissive Cross-domain Security Policy with Untrusted Domains

Description

The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate.

If a cross-domain policy file includes domains that should not be trusted, such as when using wildcards under a high-level domain, then the application could be attacked by these untrusted domains. In many cases, the attack can be launched without the victim even being aware of it.

Common Consequences

Scope:
Confidentiality, Integrity, Availability, Access Control
Impact:
Execute Unauthorized Code or Commands, Bypass Protection Mechanism, Read Application Data, Varies by Context
Notes:
With an overly permissive policy file, an attacker may be able to bypass the web browser's same-origin policy and conduct many of the same attacks seen in Cross-Site Scripting (CWE-79). An attacker can exploit the weakness to transfer private information from the victim's machine to the attacker, manipulate or steal cookies that may include session information, create malicious requests to a web site on behalf of the victim, or execute malicious code on the end user systems. Other damaging attacks include the disclosure of end user files, installation of Trojan horse programs, redirecting the user to some other page or site, running ActiveX controls (under Microsoft Internet Explorer) from sites that a user perceives as trustworthy, and modifying presentation of content.

Related Weaknesses

Related Alerts