CWE•Variant•Incomplete•20 recent CVEs
CWE-942Permissive Cross-domain Security Policy with Untrusted Domains
Description
The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate.
[object Object]
Common consequences
- Confidentiality,Integrity,Availability,Access Control→Execute Unauthorized Code or Commands,Bypass Protection Mechanism,Read Application Data,Varies by ContextWith an overly permissive policy file, an attacker may be able to bypass the web browser's same-origin policy and conduct many of the same attacks seen in Cross-Site Scripting (CWE-79). An attacker can exploit the weakness to transfer priva
Potential mitigations
- Architecture and Design,OperationDefine a restrictive Content Security Policy [REF-1486] or cross-domain policy file.
- Architecture and Design,OperationAvoid using wildcards in the CSP / cross-domain policy file. Any domain matching the wildcard expression will be implicitly trusted, and can perform two-way interaction with the target server.
- Architecture and Design,OperationFor Flash, modify crossdomain.xml to use meta-policy options such as 'master-only' or 'none' to reduce the possibility of an attacker planting extraneous cross-domain policy files on a server.
Related CWEs
Recent CVEs classified under this CWE
CVE-2026-542907.12026-06-22CVE-2026-560768.12026-06-18CVE-2026-500888.22026-06-12CVE-2026-500878.22026-06-12CVE-2026-100567.52026-05-29CVE-2026-466852026-05-28CVE-2026-450212026-05-28CVE-2026-97392026-05-27CVE-2026-448952026-05-26CVE-2026-464314.32026-05-26CVE-2026-89489.12026-05-19CVE-2026-85764.32026-05-14CVE-2026-85374.32026-05-14CVE-2026-441848.02026-05-12CVE-2026-76434.32026-05-02CVE-2026-75814.32026-05-01CVE-2026-410568.12026-04-21CVE-2026-348396.52026-04-21CVE-2026-66627.32026-04-20CVE-2026-61436.32026-04-13