V14 - Config
CORS (Cross-Origin Resource Sharing)
POC
- Add the following HTTP Request header: Origin: https://www.evil.com
- The Access-Control-Allow-Credentials: true and Access-Control-Allow-Origin: https://www.evil.com server response headers indicate that the server will respond to any authenticated requests from any origin, even if it is trusted or not.
Impact
Low
Likelihood
Low