/vulndb/Open Cross-Origin Resource Sharing

Cross-origin Resource Sharing (CORS) is a specification, which allows Web applications the ability to offer its resources for public consumption from different domains. CORS is typically used in cross-origin APIs designed to be consumed by JavaScript applications.

A vulnerability may arise when the Access-Control-Allow-Origin header permits any page to access the response body. However, most modern browsers will treat open CORS headers as a misconfiguration and wont allow the execution or processing of authenticated requests. Therefore, the risk is significantly reduced.

Solution

If CORS is not required than it is advisable to to turn it off. It is important to ensure that the Access-Control-Allow-Origin header is correctly used only on safe resources which will not expose any data from the currently logged in users.

Caveats

Keep in mind that the current finding may be an intended application feature.

References

http://en.wikipedia.org/wiki/Cross-Origin_Resource_Sharing