CWE-942 112 個 CVE MITRE 定義 ↗

CWE-942:Permissive Cross-domain Security Policy with Untrusted Domains

概覽

CWE-942(Permissive Cross-domain Security Policy with Untrusted Domains)描述一種在漏洞資料庫與安全評估中使用的弱點類型;定義、背景與對應 CVE 見下方各節。

安全影響
安全影響:因產品與情境而異;請結合 CVE 紀錄、嚴重度評分與 MITRE 說明進行優先級判斷。

描述

The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate.

背景詳情

來自 CWE 目錄的擴展上下文(由 MITRE XHTML 渲染)。

In HTTP/HTTPS, policies such as the Same Origin Policy prevent web clients from loading resources from (or making requests to) domains that did not match the web site's own domain, e.g., Javascript or other code hosted on third-party servers. These policies are strictly enforced by browsers and other products. However, these restrictions can be reduced using mechanisms that specify other domains that are allowed to be contacted from the original site, such as Content Security Policy (CSP) or cross-domain policy files (e.g., "crossdomain.xml" in Adobe Flash or Reader, "clientaccesspolicy.xml" in Silverlight, etc.). These mechanisms define a list of domains from which a client is allowed to make cross-domain requests. When making a cross-domain request, the client will first look for the policy file on the target server. If it is found, and the domain hosting the application is explicitly allowed to make requests, the request is made.

適用平台

類型 名稱 普遍性 OS / CPE
language Not Language-Specific Undetermined
technology Web Based Undetermined
technology Web Server Undetermined

本庫相關 CVE

下列 CVE 在本庫中對應到該弱點,並保留以便追溯與檢索。

CVE 公開時間 摘要
CVE-2026-21761 2026-07-17 HCL DevOps Loop is affected by a Cross-Origin Resource Sharing (CORS) misconfiguration. Improper CORS configuration may allow unauthorized cross-origin requests, potentially exposing application resou…
CVE-2024-23578 2026-07-17 HCL Aftermarket EPC is vulnerable to attack as the application implements an HTML5 cross-origin resource sharing (CORS) policy for this request that allows access from any domain (*-Wildcard).
CVE-2026-62387 2026-07-16 The Grav API plugin (getgrav/grav-plugin-api) before 1.0.0-rc.16 shipped Access-Control-Allow-Origin: * as its default CORS configuration on all responses, including authenticated endpoints and prefli…
CVE-2026-61736 2026-07-15 LightRAG provides simple and fast retrieval-augmented generation. Prior to 1.5.4, the server defaults to CORS_ORIGINS=* combined with allow_credentials=True in lightrag/api/lightrag_server.py, causing…
CVE-2026-8919 2026-07-14 Permissive Cross-domain Security Policy with Untrusted Domains in ASUS GameSDK allows a remote user to obtain a local user’s NTLM hash by convincing the user to visit a crafted web page that sends a r…
CVE-2026-59148 2026-07-09 Mockoon provides way to design and run mock APIs. Prior to 9.7.0, Mockoon's admin API in commons-server/src/libs/server/admin-api.ts is mounted on the same Express listener as user-defined mock routes…
CVE-2026-59726 2026-07-09 Ruflo is an agent meta-harness for Claude Code and Codex. Prior to 3.16.3, ruflo's default docker-compose deployment exposed the MCP bridge POST /mcp and POST /mcp/:group endpoints without authenticat…
CVE-2026-56458 2026-07-09 HCL DevOps Deploy uses Cross-Origin Resource Sharing (CORS) which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not being limited to …
CVE-2026-55110 2026-07-02 A malicious actor who lures an authenticated user to a malicious page could exploit a Cross-Origin Resource Sharing (CORS) misconfiguration found in UniFi OS to trigger actions in UniFi OS using that …
CVE-2026-12084 2026-06-30 IBM UCD - IBM DevOps Deploy 8.1 through 8.1.2.6, and 8.2 through 8.2.1.0 uses Cross-Origin Resource Sharing (CORS) which could allow an attacker to carry out privileged actions and retrieve sensitive …
CVE-2026-57957 2026-06-29 Papermark through 0.22.0 contains a cross-origin resource sharing (CORS) misconfiguration vulnerability that allows unauthenticated remote attackers to perform credentialed cross-origin requests by ex…
CVE-2026-54753 2026-06-26 Nx is a monorepo solution for TypeScript and polyglot codebases. From 17.0.4 until 22.7.2 and 23.0.0-beta.2, the local HTTP server started by nx graph sent Access-Control-Allow-Origin: * on every resp…
CVE-2026-46608 2026-06-25 Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances XML-RPC server (glances -s) introduced a configurable CORS origin list in version 4.5.3 as a mitigation for…
CVE-2026-54290 2026-06-22 Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, with credentials: true and no explicit origin (the default wildcard), the CORS Middleware reflec…
CVE-2026-56076 2026-06-18 PraisonAI before 1.5.128 contains a cross-origin agent execution vulnerability in the AGUI endpoint that allows remote attackers to trigger arbitrary agent execution. The POST /agui endpoint lacks aut…
CVE-2026-50088 2026-06-12 The Aqara Developer Portal (developer.aqara.com) and shared test environments (developer-test.aqara.com, aiot-test.aqara.com) exhibit cross-origin request sharing, which is an instance of "CWE-942: Pe…
CVE-2026-50087 2026-06-12 The Aqara IAM/SSO gateway (gw-builder.aqara.com) exhibits a cross-origin request sharing vulnerability, which is an instance of "CWE-942: Permissive Cross-domain Policy with Untrusted Domains," and ha…
CVE-2026-10056 2026-05-29 CORS misconfiguration in the REST API of Network Optix Nx Witness VMS before version 6.1.2, when running in the default Standard security mode, on Linux and Windows allows an unauthenticated remote at…
CVE-2026-46685 2026-05-28 RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, when RUSTFS_CORS_ALLOWED_ORIGINS is unset, the RustFS S3 listener's ConditionalCorsLayer reflects any request Origin…
CVE-2026-45021 2026-05-28 Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin …

曾用名

  • Overly Permissive Cross-domain Whitelist (2020-02-26)
  • Permissive Cross-domain Policy with Untrusted Domains (2025-09-09)

內容提交

名稱
CWE Content Team
組織
MITRE
日期
2014-06-05
版本
2.7
評論
Created by MITRE with input from members of the CWE-Research mailing list.

內容修訂

日期 名稱 版本 重要性 評論
2017-11-08 CWE Content Team 3.0 updated Modes_of_Introduction, References, Relationships
2019-06-20 CWE Content Team 3.3 updated Relationships
2020-02-24 CWE Content Team 4.0 updated Applicable_Platforms, Relationships
2020-06-25 CWE Content Team 4.1 updated Description, Name
2021-10-28 CWE Content Team 4.6 updated Relationships
2023-01-31 CWE Content Team 4.10 updated Description, Relationships
2023-04-27 CWE Content Team 4.11 updated Detection_Factors, References, Relationships
2023-06-29 CWE Content Team 4.12 updated Mapping_Notes, Relationships
2024-02-29 CWE Content Team 4.14 updated Demonstrative_Examples
2025-09-09 CWE Content Team 4.18 updated Background_Details, Common_Consequences, Description, Name, Potential_Mitigations, References
2025-12-11 CWE Content Team 4.19 updated Applicable_Platforms, Relationships, Weakness_Ordinalities

貢獻

類型 名稱 日期 評論
Content Jagjeet Singh 2022-08-23 Suggested new entry for misconfigured CSP allowing JavaScript, leading to changes in CWE-942 to make it more general
cvelogic Threat Intelligence