Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-942 (过度许可的跨域白名单) — Vulnerability Class 61

61 vulnerabilities classified as CWE-942 (过度许可的跨域白名单). AI Chinese analysis included.

CWE-942 represents a critical configuration weakness where web applications implement cross-domain security mechanisms, such as Content Security Policy or cross-origin resource sharing rules, but erroneously permit communication with untrusted domains. This flaw typically allows attackers to exploit the overly permissive policy by injecting malicious scripts or data from a compromised third-party domain, bypassing the browser’s same-origin policy to steal sensitive user data or execute unauthorized actions. Developers can prevent this vulnerability by strictly defining allowlists that include only verified, trusted sources, avoiding the use of wildcards or broad domain patterns that inadvertently grant access to malicious entities. Rigorous validation of domain configurations during development and continuous monitoring of policy enforcement ensure that cross-domain requests remain confined to legitimate, secure endpoints, thereby maintaining the integrity of the application’s security boundary.

MITRE CWE Description
The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate. If a cross-domain policy file includes domains that should not be trusted, such as when using wildcards under a high-level domain, then the application could be attacked by these untrusted domains. In many cases, the attack can be launched without the victim even being aware of it.
Common Consequences (1)
Confidentiality, Integrity, Availability, Access ControlExecute Unauthorized Code or Commands, Bypass Protection Mechanism, Read Application Data, Varies by Context
With an overly permissive policy file, an attacker may be able to bypass the web browser's same-origin policy and conduct many of the same attacks seen in Cross-Site Scripting (CWE-79). An attacker can exploit the weakness to transfer private information from the victim's machine to the attacker, ma…
Mitigations (3)
Architecture and Design, OperationDefine a restrictive Content Security Policy [REF-1486] or cross-domain policy file.
Architecture and Design, OperationAvoid using wildcards in the CSP / cross-domain policy file. Any domain matching the wildcard expression will be implicitly trusted, and can perform two-way interaction with the target server.
Architecture and Design, OperationFor Flash, modify crossdomain.xml to use meta-policy options such as 'master-only' or 'none' to reduce the possibility of an attacker planting extraneous cross-domain policy files on a server.
Examples (1)
These cross-domain policy files mean to allow Flash and Silverlight applications hosted on other domains to access its data:
<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd"> <allow-access-from domain="*.example.com"/> <allow-access-from domain="*"/> </cross-domain-policy>
Bad · XML
<?xml version="1.0" encoding="utf-8"?> <access-policy> <cross-domain-access> <policy> <allow-from http-request-headers="SOAPAction"> <domain uri="*"/> </allow-from> <grant-to> <resource path="/" include-subpaths="true"/> </grant-to> </policy> </cross-domain-access> </access-policy>
Bad · XML
CVE IDTitleCVSSSeverityPublished
CVE-2026-7643 ChatGPTNextWeb NextChat API Endpoint Next.js cross-domain policy — NextChat 4.3 Medium2026-05-02
CVE-2026-7581 alexta69 MeTube CORS Policy main.py on_prepare cross-domain policy — MeTube 4.3 Medium2026-05-01
CVE-2026-41056 AVideos has CORS Origin Reflection with Credentials on Sensitive API Endpoints that Enables Cross-Origin Account Takeover — AVideo 8.1 High2026-04-21
CVE-2026-6662 ericc-ch copilot-api Token Endpoint server.ts cors cross-domain policy — copilot-api 7.3 High2026-04-20
CVE-2026-6143 farion1231 cc-switch ProxyServer server.rs cross-domain policy — cc-switch 6.3 Medium2026-04-13
CVE-2026-5302 Permissive Cross-domain Policy with Untrusted Domains in coolercontrold — coolercontrold 6.3 Medium2026-04-08
CVE-2026-33533 Glances Vulnerable to Cross-Origin System Information Disclosure via XML-RPC Server CORS Wildcard — glances 8.1AIHighAI2026-04-02
CVE-2026-5321 vanna-ai vanna FastAPI/Flask Server cross-domain policy — vanna 4.3 Medium2026-04-02
CVE-2026-34449 SiYuan: Cross-Origin RCE via Permissive CORS Policy and JavaScript Snippet Injection — siyuan 9.7 Critical2026-03-31
CVE-2026-34237 MCP Java SDK has a Hardcoded Wildcard CORS (Access-Control-Allow-Origin: *) — java-sdk 6.1 Medium2026-03-31
CVE-2025-55274 HCL Aftermarket DPC is affected by Cross-Origin Resource Sharing vulnerability — Aftermarket DPC 2.6 Low2026-03-26
CVE-2026-33010 mcp-memory-service's Wildcard CORS with Credentials Enables Cross-Origin Memory Theft — mcp-memory-service 8.1 High2026-03-20
CVE-2026-33043 AVideo affected by Session Hijacking via Unauthenticated Session ID Disclosure with Permissive CORS — AVideo 8.1 High2026-03-20
CVE-2026-30924 qui CORS Misconfiguration: Arbitrary Origins Trusted — qui 8.8 -2026-03-19
CVE-2026-32610 Glances's Default CORS Configuration Allows Cross-Origin Credential Theft — glances 8.1 High2026-03-18
CVE-2026-32617 AnythingLLM Permissable CORS policy — anything-llm 7.1 High2026-03-13
CVE-2025-9292 Permissive Web Security Policy Allows Cross-Origin Access Control Bypass on Omada Cloud Controllers — Omada Cloud Controller 7.5AIHighAI2026-02-13
CVE-2026-25478 Litestar has a CORS origin allowlist bypass due to unescaped regex metacharacters in allowed origins — litestar 7.4 High2026-02-09
CVE-2025-13984 Next.js - Critical - Access bypass - SA-CONTRIB-2025-122 — Next.js 6.1AIMediumAI2026-01-28
CVE-2026-24435 Tenda W30E V2 Permissive CORS Allows Cross-origin Data Access — W30E V2 8.1AIHighAI2026-01-26
CVE-2026-1181 Altium 365 Over-Permissive CORS Configuration Allows Credentialed Cross-Origin Workspace Access — Altium 365 9.0 Critical2026-01-19
CVE-2025-62523 PILOS Misconfigured the Access-Control-Allow-Origin Header — PILOS 6.3 Medium2025-10-27
CVE-2023-37401 IBM Aspera Faspex cross-origin resource sharing — Aspera Faspex 5.3 Medium2025-10-09
CVE-2025-11304 CodeCanyon/ui-lib Mentor LMS API cross-domain policy — Mentor LMS 6.3 Medium2025-10-05
CVE-2025-41010 Cross-origin resource sharing (CORS) in Hiberus Sintra — Sintra 9.8AICriticalAI2025-10-02
CVE-2020-36851 Rob--W / cors-anywhere Misconfigured CORS Proxy Allows SSRF — Rob--W / cors-anywhere 9.1AICriticalAI2025-09-25
CVE-2025-27909 IBM Concert Software cross-origin resource sharing — Concert Software 5.4 Medium2025-08-18
CVE-2025-25264 Overly Permissive CORS Policy in WAGO Device Manager — CC100 0751-9x01 6.5 Medium2025-06-16
CVE-2025-41366 CORS vulnerability in IDF and ZLF — IDF and ZLF 8.0AIHighAI2025-06-06
CVE-2025-41363 CORS vulnerability in IDF and ZLF — IDF and ZLF 8.8AIHighAI2025-06-06

Vulnerabilities classified as CWE-942 (过度许可的跨域白名单) represent 61 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.