134 – Insecure or unset HTTP headers - CORS

Description

The cross-domain policy includes wildcards, accepting any domain as valid for sharing resources.

Impact

Include resources from untrusted origins.

Recommendation

Remove the wildcard (*) and define explicitly the trusted origins for the application resources.

Threat

Unauthorized attacker from the Internet.

Expected Remediation Time

30 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: H
• Attack Requirements: N
• Privileges required: N
• User interaction: A
• Confidentiality (VC): N
• Integrity (VI): L
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: P

Requirements

• 062 - Define standard configurations
• 266 - Disable insecure functionalities
• 349 - Include HTTP security headers

Fixes

• Csharp
• Dart
• Elixir
• Go
• Java
• Python
• Ruby
• Scala
• Typescript

Last updated

2024/02/14