Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-942 (过度许可的跨域白名单) — Vulnerability Class 61

61 vulnerabilities classified as CWE-942 (过度许可的跨域白名单). AI Chinese analysis included.

CWE-942 represents a critical configuration weakness where web applications implement cross-domain security mechanisms, such as Content Security Policy or cross-origin resource sharing rules, but erroneously permit communication with untrusted domains. This flaw typically allows attackers to exploit the overly permissive policy by injecting malicious scripts or data from a compromised third-party domain, bypassing the browser’s same-origin policy to steal sensitive user data or execute unauthorized actions. Developers can prevent this vulnerability by strictly defining allowlists that include only verified, trusted sources, avoiding the use of wildcards or broad domain patterns that inadvertently grant access to malicious entities. Rigorous validation of domain configurations during development and continuous monitoring of policy enforcement ensure that cross-domain requests remain confined to legitimate, secure endpoints, thereby maintaining the integrity of the application’s security boundary.

MITRE CWE Description
The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate. If a cross-domain policy file includes domains that should not be trusted, such as when using wildcards under a high-level domain, then the application could be attacked by these untrusted domains. In many cases, the attack can be launched without the victim even being aware of it.
Common Consequences (1)
Confidentiality, Integrity, Availability, Access ControlExecute Unauthorized Code or Commands, Bypass Protection Mechanism, Read Application Data, Varies by Context
With an overly permissive policy file, an attacker may be able to bypass the web browser's same-origin policy and conduct many of the same attacks seen in Cross-Site Scripting (CWE-79). An attacker can exploit the weakness to transfer private information from the victim's machine to the attacker, ma…
Mitigations (3)
Architecture and Design, OperationDefine a restrictive Content Security Policy [REF-1486] or cross-domain policy file.
Architecture and Design, OperationAvoid using wildcards in the CSP / cross-domain policy file. Any domain matching the wildcard expression will be implicitly trusted, and can perform two-way interaction with the target server.
Architecture and Design, OperationFor Flash, modify crossdomain.xml to use meta-policy options such as 'master-only' or 'none' to reduce the possibility of an attacker planting extraneous cross-domain policy files on a server.
Examples (1)
These cross-domain policy files mean to allow Flash and Silverlight applications hosted on other domains to access its data:
<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd"> <allow-access-from domain="*.example.com"/> <allow-access-from domain="*"/> </cross-domain-policy>
Bad · XML
<?xml version="1.0" encoding="utf-8"?> <access-policy> <cross-domain-access> <policy> <allow-from http-request-headers="SOAPAction"> <domain uri="*"/> </allow-from> <grant-to> <resource path="/" include-subpaths="true"/> </grant-to> </policy> </cross-domain-access> </access-policy>
Bad · XML
CVE IDTitleCVSSSeverityPublished
CVE-2025-4839 itwanger paicoding CrossUtil.java cross-domain policy — paicoding 3.1 Low2025-05-17
CVE-2025-4542 Freeebird Hotel 酒店管理系统 API SessionInterceptor.java cross-domain policy — Hotel 酒店管理系统 API 3.1 Low2025-05-11
CVE-2025-4515 Zylon PrivateGPT settings.yaml cross-domain policy — PrivateGPT 4.3 Medium2025-05-10
CVE-2025-30354 Bruno ignores Safe-Mode in Asserts expressions — bruno 9.8AICriticalAI2025-04-01
CVE-2025-2865 Reflected Cross-Site Scripting (XSS) vulnerability in saTECH BCU — saTECH BCU 6.1 -2025-03-28
CVE-2025-1083 Mindskip xzs-mysql 学之思开源考试系统 CORS cross-domain policy — xzs-mysql 学之思开源考试系统 3.1 Low2025-02-06
CVE-2024-22348 IBM UrbanCode Velocity cross-origin resource sharing — UrbanCode Velocity 5.3 Medium2025-01-20
CVE-2024-53276 GHSL-2024-092: Open CORS policy in home-gallery — home-gallery 6.5 -2024-12-23
CVE-2024-49763 PlexRipper allows API leak due to open CORS policy — PlexRipper 8.1 -2024-12-02
CVE-2024-45642 IBM Security ReaQta information disclosure — Security ReaQta 5.3 Medium2024-11-14
CVE-2024-10315 Insecure Configuration in Gliffy Online — Gliffy Online 9.4AICriticalAI2024-11-11
CVE-2024-6449 Arbitrary cross-domain file inclusion in HyperView Geoportal Toolkit — Geoportal Toolkit 6.5AIMediumAI2024-08-28
CVE-2024-41657 GHSL-2024-035: Casdoor CORS misconfiguration — casdoor 8.1 High2024-08-20
CVE-2024-41659 GHSL-2024-034: memos CORS Misconfiguration in server.go — memos 8.1 High2024-08-20
CVE-2024-32862 exacqVision CORS — exacqVision 6.8 Medium2024-08-01
CVE-2024-37131 Dell Secure Connect Gateway 安全漏洞 — Secure Connect Gateway (SCG) Policy Manager 7.5 High2024-06-13
CVE-2023-38125 Softing edgeAggregator Permissive Cross-domain Policy with Untrusted Domains Remote Code Execution Vulnerability — edgeAggregator 8.8 -2024-05-03
CVE-2023-38122 Inductive Automation Ignition OPC UA Quick Client Permissive Cross-domain Policy Remote Code Execution Vulnerability — Ignition 8.8 -2024-05-03
CVE-2024-23823 CORS settings overly permissive in vantage6 — vantage6 4.2 Medium2024-03-14
CVE-2023-45213 Westermo Lynx Permissive Cross-domain Policy with Untrusted Domains — Lynx 6.6 Medium2024-02-06
CVE-2023-50940 IBM PowerSC cross-resource origin sharing — PowerSC 5.3 Medium2024-02-02
CVE-2024-21382 Microsoft Edge for Android Information Disclosure Vulnerability — Microsoft Edge (Chromium-based) 4.3 Medium2024-01-26
CVE-2023-46281 Siemens Opcenter Quality 安全漏洞 — Opcenter Execution Foundation 7.1 High2023-12-12
CVE-2023-25603 Fortinet FortiADC 安全漏洞 — FortiDDoS-F 5.4 Medium2023-11-14
CVE-2023-46098 Siemens SIMATIC PCS 安全漏洞 — SIMATIC PCS neo 8.0 High2023-11-14
CVE-2023-36829 Sentry CORS misconfiguration vulnerability — sentry 6.8 Medium2023-07-06
CVE-2023-2360 Acronis Cyber Infrastructure 安全漏洞 — Acronis Cyber Infrastructure 7.5 -2023-04-28
CVE-2022-34366 Dell SupportAssist for Home PCs 安全漏洞 — SupportAssist Client Consumer 6.5 Medium2023-02-10
CVE-2021-27786 HCL OneTest Server is vulnerable to Cross Origin Resource Sharing: Arbitrary Origin Trusted — HCL OneTest Server 4.6 Medium2022-06-07
CVE-2021-34435 Eclipse Theia 访问控制错误漏洞 — Eclipse Theia 8.8 -2021-09-01

Vulnerabilities classified as CWE-942 (过度许可的跨域白名单) represent 61 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.