137 – Insecure or unset HTTP headers - X-Permitted-Cross-Domain-Policies

Description

The application lacks the X-Permitted-Cross-Domain-Policies header or sets the header in a insecure value.

Impact

Allow harmful requests from Adobe Flash or PDF documents.

Recommendation

Unless the application requires Adobe products, set the X-Permitted-Cross-Domain-Policies to none in the server responses.

Threat

Unauthorized attacker from the Internet.

Expected Remediation Time

30 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: H
• Attack Requirements: N
• Privileges required: N
• User interaction: N
• Confidentiality (VC): N
• Integrity (VI): L
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: P

Requirements

• 062 - Define standard configurations
• 266 - Disable insecure functionalities
• 349 - Include HTTP security headers

Fixes

• Dart
• Elixir
• Go
• Java
• Ruby
• Scala
• Typescript

Last updated

2024/02/14