Permissive Cross-domain Policy with Untrusted Domains
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-942: Permissive Cross-domain Policy with Untrusted Domains |
| OWASP | A07:2021 - Identification and Authentication Failures |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description#
Allowing all origins (’*’) with ‘supports_credentials=True’ in Flask-CORS lets any website send authenticated requests to your backend and receive sensitive data. This misconfiguration exposes cookies and authenticated sessions to untrusted third parties.
Impact#
Attackers can make cross-origin requests from any site, potentially stealing user data, session cookies, or performing actions on behalf of users without their consent. This can lead to data breaches, account compromise, and loss of user trust.