Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-942 (过度许可的跨域白名单) — Vulnerability Class 61

61 vulnerabilities classified as CWE-942 (过度许可的跨域白名单). AI Chinese analysis included.

CWE-942 represents a critical configuration weakness where web applications implement cross-domain security mechanisms, such as Content Security Policy or cross-origin resource sharing rules, but erroneously permit communication with untrusted domains. This flaw typically allows attackers to exploit the overly permissive policy by injecting malicious scripts or data from a compromised third-party domain, bypassing the browser’s same-origin policy to steal sensitive user data or execute unauthorized actions. Developers can prevent this vulnerability by strictly defining allowlists that include only verified, trusted sources, avoiding the use of wildcards or broad domain patterns that inadvertently grant access to malicious entities. Rigorous validation of domain configurations during development and continuous monitoring of policy enforcement ensure that cross-domain requests remain confined to legitimate, secure endpoints, thereby maintaining the integrity of the application’s security boundary.

MITRE CWE Description
The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate. If a cross-domain policy file includes domains that should not be trusted, such as when using wildcards under a high-level domain, then the application could be attacked by these untrusted domains. In many cases, the attack can be launched without the victim even being aware of it.
Common Consequences (1)
Confidentiality, Integrity, Availability, Access ControlExecute Unauthorized Code or Commands, Bypass Protection Mechanism, Read Application Data, Varies by Context
With an overly permissive policy file, an attacker may be able to bypass the web browser's same-origin policy and conduct many of the same attacks seen in Cross-Site Scripting (CWE-79). An attacker can exploit the weakness to transfer private information from the victim's machine to the attacker, ma…
Mitigations (3)
Architecture and Design, OperationDefine a restrictive Content Security Policy [REF-1486] or cross-domain policy file.
Architecture and Design, OperationAvoid using wildcards in the CSP / cross-domain policy file. Any domain matching the wildcard expression will be implicitly trusted, and can perform two-way interaction with the target server.
Architecture and Design, OperationFor Flash, modify crossdomain.xml to use meta-policy options such as 'master-only' or 'none' to reduce the possibility of an attacker planting extraneous cross-domain policy files on a server.
Examples (1)
These cross-domain policy files mean to allow Flash and Silverlight applications hosted on other domains to access its data:
<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd"> <allow-access-from domain="*.example.com"/> <allow-access-from domain="*"/> </cross-domain-policy>
Bad · XML
<?xml version="1.0" encoding="utf-8"?> <access-policy> <cross-domain-access> <policy> <allow-from http-request-headers="SOAPAction"> <domain uri="*"/> </allow-from> <grant-to> <resource path="/" include-subpaths="true"/> </grant-to> </policy> </cross-domain-access> </access-policy>
Bad · XML
CVE IDTitleCVSSSeverityPublished
CVE-2019-14860 Red Hat Fuse 输入验证错误漏洞 — syndesis 7.1 -2019-11-08

Vulnerabilities classified as CWE-942 (过度许可的跨域白名单) represent 61 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.