Search Blog Stats Labs

Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits

About

About Exploit Intel About Exploit Forge Privacy Policy

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Color Theme

Search Blog Statistics Labs Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits About About Exploit Forge Privacy

Exploit Database Researchers CWE Categories Vendors Ecosystems

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Follow:

Theme:

Home / CWE / CWE-942

CWE-942

Permissive Cross-domain Security Policy with Untrusted Domains

Parent: CWE-863 - Incorrect Authorization

The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate.

97 vulnerabilities with CWE-942

CVE-2025-57755 HIGH

musistudio claude-code-router < 1.0.34 - Exposure of Sensitive Information via Improper CORS Configuration

CVE-2025-27909 MEDIUM

IBM Concert 1.0.0-1.1.0 - Permissive Cross-domain Security Policy with Untrusted Domains

CVE-2025-25264 MEDIUM

WAGO CC100, PFC100, PFC200, TP600 - Unauthenticated Arbitrary File Read via CORS Misconfiguration

CVE-2025-41366 MEDIUM

ZIV IDF and ZLF - High-Privilege CORS Misconfiguration

CVE-2025-41363 MEDIUM

ZIV IDF and ZLF - View-Permission CORS Misconfiguration

CVE-2025-4839 LOW

itwanger paicoding 1.0.0-1.0.3 - Permissive Cross-domain Security Policy in CrossUtil.java

CVE-2025-4542 LOW

Freeebird Hotel < 1.2 - Permissive Cross-domain Security Policy with Untrusted Domains

CVE-2025-4515 MEDIUM

pribai/privategpt < 0.6.2 - Permissive Cross-domain Security Policy via allow_origins Argument

CVE-2025-25234 HIGH

Omnissa Unified Access Gateway < 2503 - CORS Bypass

CVE-2025-30354 MEDIUM

Bruno < 1.39.1 - Unauthenticated Remote Code Execution via Malicious Collection Import

CVE-2025-2865 MEDIUM

SaTECH BCU Firmware 2.1.3 - Stored Cross-Site Scripting via Untrusted Domain Resources

CVE-2025-1083 LOW

Mindskip xzs-mysql 3.9.0 - Permissive Cross-domain Security Policy with Untrusted Domains in CORS Handler

CVE-2024-11071 HIGH

Cyberdigm DestinyECM - Cross-Site Request Forgery via JSON Hijacking

CVE-2024-22348 MEDIUM

IBM DevOps Velocity 5.0.0, IBM UrbanCode Velocity 4.0.0-4.0.25 - SSRF

CVE-2024-53276 MEDIUM

home-gallery <= 1.15.0 - Permissive Cross-domain Security Policy in CORS Middleware

CVE-2024-49763 HIGH

PlexRipper < 0.24.0 - Unauthenticated Sensitive Information Exposure via CORS Misconfiguration

CVE-2024-45642 MEDIUM

IBM Security ReaQta 3.12-3.12.11 - Stored Cross-Site Scripting in Web UI

CVE-2024-10315 MEDIUM

Gliffy Online <4.14.0-6 - Info Disclosure

CVE-2024-6449 MEDIUM

HyperView Geoportal Toolkit <8.5.0 - SSRF

CVE-2024-41657 HIGH

Casdoor <= 1.577.0 - Authenticated Cross-Origin Request Forgery via Origin Header Prefix Check

CVE-2024-41659 HIGH

memos < 0.21.0 - Unauthenticated CORS Misconfiguration with Credentials

CVE-2024-32862 MEDIUM

ExacqVision Web Service < 24.03 - Permissive Cross-domain Security Policy with Untrusted Domains

CVE-2024-37131 HIGH

Dell Policy Manager for Secure Connect Gateway 5.18.00.20-5.24.00.14 - Unauthenticated CORS Bypass

CVE-2024-23823 MEDIUM

vantage6 < 4.2.1 and >=0 < 4.3.0 - Permissive Cross-domain Security Policy

CVE-2024-25124 CRITICAL

Fiber < 2.52.1 - Insecure CORS Configuration with Wildcard Origin and Credentials

Previous Page 3 of 4 Next

Details

Vulnerabilities 97

Links

MITRE CWE Entry Search this CWE With Exploits

Exploit Intelligence Platform

Blog Stats Labs Exploits Researchers CWE Ecosystems CLI MCP API Limits About Privacy