SYM_JSTS_0016 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Permissive List of Allowed Inputs
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-183: Permissive List of Allowed Inputs |
| OWASP | A04:2021 - Insecure Design |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description
The application is configured to allow any website to access its resources by setting the Access-Control-Allow-Origin header to '*'. This disables the browser's Same Origin Policy protections and makes your API accessible from any domain.
Impact
Attackers can use malicious websites to make requests to your API on behalf of users, potentially exposing sensitive data or enabling unauthorized actions. This can lead to data leaks, cross-site request forgery (CSRF), and other security risks if the API is not otherwise protected.