CORS Misconfiguration Allows for Privileged Actions and Information Disclosure

CORS Misconfiguration Allows for Privileged Actions and Information Disclosure

CVE-2021-27786 · CRITICAL Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Cross-origin resource sharing (CORS) enables browsers to perform cross domain requests in a controlled manner. This request has an Origin header that identifies the domain that is making the initial request and defines the protocol between a browser and server to see if the request is allowed. An attacker can take advantage of this and possibly carry out privileged actions and access sensitive information when the Access-Control-Allow-Credentials is enabled.

Learn more about our Cis Benchmark Audit For Server Software.