CWE-942(Permissive Cross-domain Security Policy with Untrusted Domains)描述一種在漏洞資料庫與安全評估中使用的弱點類型;定義、背景與對應 CVE 見下方各節。
The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate.
來自 CWE 目錄的擴展上下文(由 MITRE XHTML 渲染)。
In HTTP/HTTPS, policies such as the Same Origin Policy prevent web clients from loading resources from (or making requests to) domains that did not match the web site's own domain, e.g., Javascript or other code hosted on third-party servers. These policies are strictly enforced by browsers and other products. However, these restrictions can be reduced using mechanisms that specify other domains that are allowed to be contacted from the original site, such as Content Security Policy (CSP) or cross-domain policy files (e.g., "crossdomain.xml" in Adobe Flash or Reader, "clientaccesspolicy.xml" in Silverlight, etc.). These mechanisms define a list of domains from which a client is allowed to make cross-domain requests. When making a cross-domain request, the client will first look for the policy file on the target server. If it is found, and the domain hosting the application is explicitly allowed to make requests, the request is made.
| 類型 | 名稱 | 類 | 普遍性 | OS / CPE |
|---|---|---|---|---|
| language | — | Not Language-Specific | Undetermined | — |
| technology | — | Web Based | Undetermined | — |
| technology | Web Server | — | Undetermined | — |
下列 CVE 在本庫中對應到該弱點,並保留以便追溯與檢索。
| CVE | 公開時間 | 摘要 |
|---|---|---|
| CVE-2026-21761 | 2026-07-17 | HCL DevOps Loop is affected by a Cross-Origin Resource Sharing (CORS) misconfiguration. Improper CORS configuration may allow unauthorized cross-origin requests, potentially exposing application resou… |
| CVE-2024-23578 | 2026-07-17 | HCL Aftermarket EPC is vulnerable to attack as the application implements an HTML5 cross-origin resource sharing (CORS) policy for this request that allows access from any domain (*-Wildcard). |
| CVE-2026-62387 | 2026-07-16 | The Grav API plugin (getgrav/grav-plugin-api) before 1.0.0-rc.16 shipped Access-Control-Allow-Origin: * as its default CORS configuration on all responses, including authenticated endpoints and prefli… |
| CVE-2026-61736 | 2026-07-15 | LightRAG provides simple and fast retrieval-augmented generation. Prior to 1.5.4, the server defaults to CORS_ORIGINS=* combined with allow_credentials=True in lightrag/api/lightrag_server.py, causing… |
| CVE-2026-8919 | 2026-07-14 | Permissive Cross-domain Security Policy with Untrusted Domains in ASUS GameSDK allows a remote user to obtain a local user’s NTLM hash by convincing the user to visit a crafted web page that sends a r… |
| CVE-2026-59148 | 2026-07-09 | Mockoon provides way to design and run mock APIs. Prior to 9.7.0, Mockoon's admin API in commons-server/src/libs/server/admin-api.ts is mounted on the same Express listener as user-defined mock routes… |
| CVE-2026-59726 | 2026-07-09 | Ruflo is an agent meta-harness for Claude Code and Codex. Prior to 3.16.3, ruflo's default docker-compose deployment exposed the MCP bridge POST /mcp and POST /mcp/:group endpoints without authenticat… |
| CVE-2026-56458 | 2026-07-09 | HCL DevOps Deploy uses Cross-Origin Resource Sharing (CORS) which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not being limited to … |
| CVE-2026-55110 | 2026-07-02 | A malicious actor who lures an authenticated user to a malicious page could exploit a Cross-Origin Resource Sharing (CORS) misconfiguration found in UniFi OS to trigger actions in UniFi OS using that … |
| CVE-2026-12084 | 2026-06-30 | IBM UCD - IBM DevOps Deploy 8.1 through 8.1.2.6, and 8.2 through 8.2.1.0 uses Cross-Origin Resource Sharing (CORS) which could allow an attacker to carry out privileged actions and retrieve sensitive … |
| CVE-2026-57957 | 2026-06-29 | Papermark through 0.22.0 contains a cross-origin resource sharing (CORS) misconfiguration vulnerability that allows unauthenticated remote attackers to perform credentialed cross-origin requests by ex… |
| CVE-2026-54753 | 2026-06-26 | Nx is a monorepo solution for TypeScript and polyglot codebases. From 17.0.4 until 22.7.2 and 23.0.0-beta.2, the local HTTP server started by nx graph sent Access-Control-Allow-Origin: * on every resp… |
| CVE-2026-46608 | 2026-06-25 | Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances XML-RPC server (glances -s) introduced a configurable CORS origin list in version 4.5.3 as a mitigation for… |
| CVE-2026-54290 | 2026-06-22 | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, with credentials: true and no explicit origin (the default wildcard), the CORS Middleware reflec… |
| CVE-2026-56076 | 2026-06-18 | PraisonAI before 1.5.128 contains a cross-origin agent execution vulnerability in the AGUI endpoint that allows remote attackers to trigger arbitrary agent execution. The POST /agui endpoint lacks aut… |
| CVE-2026-50088 | 2026-06-12 | The Aqara Developer Portal (developer.aqara.com) and shared test environments (developer-test.aqara.com, aiot-test.aqara.com) exhibit cross-origin request sharing, which is an instance of "CWE-942: Pe… |
| CVE-2026-50087 | 2026-06-12 | The Aqara IAM/SSO gateway (gw-builder.aqara.com) exhibits a cross-origin request sharing vulnerability, which is an instance of "CWE-942: Permissive Cross-domain Policy with Untrusted Domains," and ha… |
| CVE-2026-10056 | 2026-05-29 | CORS misconfiguration in the REST API of Network Optix Nx Witness VMS before version 6.1.2, when running in the default Standard security mode, on Linux and Windows allows an unauthenticated remote at… |
| CVE-2026-46685 | 2026-05-28 | RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, when RUSTFS_CORS_ALLOWED_ORIGINS is unset, the RustFS S3 listener's ConditionalCorsLayer reflects any request Origin… |
| CVE-2026-45021 | 2026-05-28 | Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin … |
| 日期 | 名稱 | 版本 | 重要性 | 評論 |
|---|---|---|---|---|
| 2017-11-08 | CWE Content Team | 3.0 | — | updated Modes_of_Introduction, References, Relationships |
| 2019-06-20 | CWE Content Team | 3.3 | — | updated Relationships |
| 2020-02-24 | CWE Content Team | 4.0 | — | updated Applicable_Platforms, Relationships |
| 2020-06-25 | CWE Content Team | 4.1 | — | updated Description, Name |
| 2021-10-28 | CWE Content Team | 4.6 | — | updated Relationships |
| 2023-01-31 | CWE Content Team | 4.10 | — | updated Description, Relationships |
| 2023-04-27 | CWE Content Team | 4.11 | — | updated Detection_Factors, References, Relationships |
| 2023-06-29 | CWE Content Team | 4.12 | — | updated Mapping_Notes, Relationships |
| 2024-02-29 | CWE Content Team | 4.14 | — | updated Demonstrative_Examples |
| 2025-09-09 | CWE Content Team | 4.18 | — | updated Background_Details, Common_Consequences, Description, Name, Potential_Mitigations, References |
| 2025-12-11 | CWE Content Team | 4.19 | — | updated Applicable_Platforms, Relationships, Weakness_Ordinalities |
| 類型 | 名稱 | 日期 | 評論 |
|---|---|---|---|
| Content | Jagjeet Singh | 2022-08-23 | Suggested new entry for misconfigured CSP allowing JavaScript, leading to changes in CWE-942 to make it more general |