/vulndb/Permissive Cross-Origin Resource Sharing
A vulnerability may arise when the Access-Control-Allow-Origin header permits other pages (hosted on different domains) to access the response body. This may enable some kinds of client-side exploits targeting authenticated users by leveraging vulnerabilities, such as XSS, on 3rd-party applications.
If CORS is not required than it is advisable to to turn it off. It is important to ensure that the Access-Control-Allow-Origin header is correctly used only on safe resources which will not expose any data from the currently logged in users.
Keep in mind that the current finding may be an intended application feature.