DerScanner
Home / Vulnerability Database / HTML5 : Unsafe cross-origin resource sharing (CORS) policy
HTML5

HTML5 : Unsafe cross-origin resource sharing (CORS) policy

Classification

OWASP Top 10 2013
A5-Security Misconfiguration
OWASP Top 10 2017
A5-Broken Access ControlA6-Security Misconfiguration
OWASP Top 10 2021
A1-Broken Access ControlA5-Security MisconfigurationA4-Insecure DesignA8-Software and Data Integrity Failures
OWASP ASVS
ConfigurationConfiguration
CWE
CWE-183CWE-345CWE-346CWE-451CWE-942CWE-1031

Overview

Unsafe CORS configuration may lead to the data being compromised.

CORS (Cross Origin Resource Policy) is a mechanism defined in the HTML5 standard that enables JavaScript-code to work with data from another domain. CORS parameters must be defined in the HTTP header Access-Control-Allow-Origin.

CORS parameter defined not precisely enough may lead to the application data being compromised.

References

  1. OWASP: HTML5 Security Cheat Sheet
  2. Cross-Origin Resource Sharing - w3.org
  3. OWASP Top 10 2017-A6-Security Misconfiguration
  4. OWASP Top 10 2017-A5-Broken Access Control
  5. CWE CATEGORY: OWASP Top Ten 2017 Category A5 - Broken Access Control
  6. CWE-346
  7. CWE-942
MEDIUM

DerScanner Severity Score

Do you want to fix HTML5 : Unsafe cross-origin resource sharing (CORS) policy in your application?

See also

HTML5

HTML5 : Missing required cryptographic step

HTML5

HTML5 : Weak hashing algorithm

HTML5

HTML5 : Cross-site request forgery (CSRF)